Data Processing Agreement (DPA)
Please note: This English translation is provided for convenience only. Only the German version of this agreement is legally binding. Agreement on data processing pursuant to Art. 28 GDPR between you (controller) and BLOCQ (processor) for the app publishing service as well as the Custom App Development Service.
Preamble
This Data Processing Agreement (DPA) governs the rights and obligations of the parties in connection with the processing of personal data by BLOCQ on behalf of the user.
The user (hereinafter the "controller") instructs BLOCQ (hereinafter the "processor") to process personal data in the context of the app publishing service as well as – insofar as separately agreed with the controller – in the context of the Custom App Development Service (individual setup of an app).
The annexes to this agreement apply in addition.
Section 1 Subject Matter and Duration of the Processing
The subject matter of this agreement is the processing of personal data by the processor (a) in the context of app publishing via the BLOCQ Publishing Service and (b) in the context of the individual setup of an app for the controller (Custom App Development Service).
The processing begins with the transmission of the data by the controller and ends with the complete deletion of all transmitted data upon request of the controller or upon termination of the contractual relationship.
For subsequent updates and for the ongoing provision of the configured app, the data continues to be stored in accordance with the controller's specifications.
Section 2 Nature and Purpose of the Processing
The processor processes the personal data exclusively for the following purposes:
Compilation of the app configured by the controller
Signing of the app with the certificates provided by the controller
Publication of the app in the app stores (Apple App Store, Google Play Store) in the name of the controller
Storage of the data for future app updates
Within the scope of the Custom App Development Service: setup and configuration of the app on the basis of the content and specifications provided by the controller, as well as coordination and testing up to release
Generation of suggestions for the app name and store description texts by means of an AI service provider, insofar as the controller actively triggers this function
Section 3 Type of Personal Data
The following categories of personal data are processed:
App configuration data (ISAR export): Contains the app configuration created by the controller
Media files: logos, icons, background images, avatars and banners
Firebase configuration files: GoogleService-Info.plist and google-services.json (project IDs, no access credentials)
Apple Store signing and publishing files (API key .p8, certificate .p12, provisioning profile) — sensitive access keys of the controller, which the processor treats confidentially as a trade secret and uses solely for publishing in the name of the controller
Google Play publishing key (service account JSON) — sensitive access key of the controller, which is treated confidentially as a trade secret and used solely for publishing in the name of the controller
In the case of the Custom App Development Service, additionally: content provided by the controller (texts, product data, image material) as well as contact and project data required for coordination and setup
Content and end-user data of the app configured by the controller that is stored in the provided development database during the app creation (e.g. member, profile, contact, product or comparable data), depending on the modules activated and the content entered by the controller.
Administrator access credentials: In the case of publication without a dedicated Firebase instance, the administrator email address, an access PIN (exclusively as a non-reversible hash) and, where applicable, an administrator password are stored on the processor's server for the administration of the published app.
Special categories of personal data within the meaning of Art. 9 GDPR are excluded from the scope of processing of this agreement. Their processing in the development database is not permitted without a prior separate written agreement between the parties.
For the AI-assisted generation of the app name, store texts and design suggestions, the description entered by the controller is transmitted to the AI service provider (OpenAI, USA). If the controller additionally uses the ‚Magic Setup‘ function by providing a website address, publicly accessible content from that website (texts, colours, logo) is read out and likewise transmitted to OpenAI; if an industry or ordering portal is provided (e.g. Lieferando/Takeaway, Wolt, Treatwell), the business data publicly stored there (e.g. menu, services, categories, prices) is additionally retrieved. The controller is responsible for providing only its own websites or portals, or those it is authorised to use, and for not including any personal data of third parties in the description; the controller ensures that no personal data of third parties is transmitted to OpenAI without a legal basis via the pages provided.
Section 4 Categories of Data Subjects
The following are affected by the processing:
The controller itself as user of the BLOCQ Publishing Service
End users and members of the app created by the controller, whose personal data is processed in the app
Customers, contacts and other third parties whose data the controller introduces into the app
Section 5 Obligations of the Processor
The processor undertakes:
To process the personal data only on documented instructions from the controller
To ensure that the persons authorised to carry out the processing have committed themselves to confidentiality
To take all required technical and organisational measures pursuant to Art. 32 GDPR
To engage sub-processors only in accordance with Section 7, to inform the controller of any intended changes and to grant the controller a right to object
To support the controller in fulfilling its obligations regarding data subjects' rights
To notify the controller without undue delay in the event of personal data breaches
After termination of the processing, to delete or return all data
To inform the controller without undue delay if, in the processor's opinion, an instruction infringes the GDPR or other data protection provisions
Section 6 Technical and Organisational Measures (TOM)
The processor implements the following measures pursuant to Art. 32 GDPR:
Server (Hetzner, Nuremberg)
Entry control: data centre in Germany with access restrictions
Access control: SSH key-based authentication, no password logins
Transmission control: encrypted transmission via HTTPS/TLS
Input control: logging of all file uploads and accesses
Development database (Google Firebase, EU region)
Storage location: Firestore and Firebase Storage in an EU region (Belgium, europe-west1) — no third-country transfer
Encryption: encrypted transmission (TLS) and encrypted storage (at rest) by Google
Access control: access exclusively via authorised service accounts; tenant separation via the prefix blocq_developer/{appId}/
Deletion: automated deletion of content and end-user data after publication has taken place (see Section 11)
Builder system (Mac, Germany)
Physical security: location in Germany with access restriction
Access control: local system with no remote access from outside
Data separation: separate directories for each controller (by bundle ID)
Availability control: automatic backups of the configuration data
Web companion / bridge server (Hetzner, Nuremberg)
Storage location: server in Germany (Hetzner, Nuremberg) — no third-country transfer
Encrypted transmission (HTTPS/TLS, WebSocket over TLS); authentication via random device and session tokens
Data minimisation: pseudonymised audit log without request content; automatic deletion of sessions, pairing tokens and logs after fixed periods
General measures
Pseudonymisation: data is organised by bundle ID, not by personal characteristics
Confidentiality: all employees are obliged to maintain confidentiality
Resilience: redundant systems for critical processes
Recoverability: regular review of the backup procedures
Section 7 Sub-processors and Other Recipients
The controller grants BLOCQ a general authorisation to engage sub-processors within the meaning of Art. 28(2) GDPR. The sub-processors engaged as well as other transfer-relevant recipients, their registered office, scope of services, place of processing and transfer mechanism are set out in Annex 2. Insofar as a provider does not act as a sub-processor but as an independent platform operator or other recipient, the classification follows from Annex 1 and Annex 2.
BLOCQ will notify the controller of any intended addition or replacement of a sub-processor at least 14 days before it takes effect, in text form or via a suitable electronic procedure. The controller may object to the change within this period for an important data protection reason. If a justified objection is raised and BLOCQ cannot reasonably be expected to provide the service without the sub-processor concerned, both parties are entitled to extraordinarily terminate the affected part of the service.
BLOCQ contractually binds all sub-processors to data protection obligations that essentially correspond to the obligations of this DPA. BLOCQ remains responsible to the controller for the fulfilment of the data protection obligations of the sub-processors.
Services that are not integrated by BLOCQ on behalf of the controller, but are set up or used by the controller itself for its published app, in particular payment, email, map, smart lock, analytics or other module services of the published app, are not sub-processors of BLOCQ. The controller is solely responsible for their selection, configuration, legal basis, data protection information and contractual integration.
Section 7a AI Service Providers
Insofar as the controller actively triggers AI functions, BLOCQ processes the inputs required for this on behalf of the controller and transmits them to the AI service provider named in Annex 2. The processing serves exclusively to generate suggestions for app names, store description texts, design suggestions, structural suggestions and comparable supporting content.
The controller may not enter into AI inputs any personal data of third parties, any special categories of personal data within the meaning of Art. 9 GDPR, any confidential information of third parties, or any content that it is not authorised to process or transmit to the AI service provider. Deviations require a separate prior agreement.
AI outputs are machine-generated suggestions. BLOCQ does not owe any review of the AI outputs in terms of content, legal, technical, copyright, trademark or competition law. The controller is obliged to independently review AI outputs before each use and to publish only lawful, accurate and suitable content.
Section 8 Obligations of the Controller
The controller is obliged:
To ensure that the transmitted data was collected lawfully
To provide its own Apple Developer and Google Play Developer accounts
To ensure the accuracy and currency of the transmitted data
To provide the processor with all information necessary for the processing
During the creation phase (AppBuilder mode), to enter exclusively demo and test data and not to record any real personal data of third parties; to process real personal data only after publication in its own Firebase instance
Not to process special categories of personal data within the meaning of Art. 9 GDPR (e.g. health, religious or trade union data, biometric data) in the development database without a prior separate written agreement with the processor
Section 9 Support Obligations
The processor supports the controller with:
Requests from data subjects (Art. 15-22 GDPR)
Notification of personal data breaches (Art. 33-34 GDPR)
Data protection impact assessments (Art. 35 GDPR)
Prior consultation of the supervisory authority (Art. 36 GDPR)
Personal data breaches
BLOCQ informs the controller without undue delay, but at the latest within 24 hours of becoming aware, of breaches of the protection of personal data within the meaning of Art. 4 No. 12 GDPR, insofar as the data processed by BLOCQ on behalf of the controller is affected.
The notification contains, insofar as the information is already available to BLOCQ at that time, a description of the nature of the incident, the affected data categories, the affected systems, the likely consequences, the remedial measures taken or proposed, as well as a contact point for queries. If individual information is not yet available, BLOCQ provides it subsequently without undue delay.
BLOCQ supports the controller, to the extent necessary and reasonable, in the review, documentation and fulfilment of any reporting and notification obligations under Art. 33 and 34 GDPR.
Section 10 Audit Rights
The controller has the right to verify compliance with this agreement. This may be done by requesting evidence, certificates or self-disclosures.
On-site inspections are possible after prior notice (at least 14 days) and while safeguarding trade secrets.
Upon request, the processor makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.
Section 11 Deletion and Return
The processor deletes the content and end-user data stored in the development database (cf. Section 3) automatically as soon as the controller has confirmed the go-live of the app in the store and a period of 14 days has subsequently elapsed. The deletion covers the entire data inventory of the app in the development database (Firestore and Storage) and is logged by the system. At the controller's request, the deletion also takes place earlier. For build and signing artefacts (app configuration, certificates, keys), the following choice applies, as these are required for future app updates.
The build data uploaded to the processor's server during the publishing process (app configuration, media files) is only cached for the duration of the processing and removed from the server after completion of the build process; incomplete orders are automatically cleaned up no later than after 14 days.
The controller may choose between:
Complete deletion of all data (server and builder)
Return of the data in a common format prior to deletion
Retention of the build and signing artefacts for future updates (default); the content and end-user data is not covered by this and is in any case automatically deleted 14 days after confirmed go-live
The deletion is confirmed in writing. Statutory retention obligations remain unaffected.
Section 12 Liability
The liability of the parties towards data subjects is governed by Art. 82 GDPR and the other mandatory statutory provisions.
As processor, BLOCQ is liable for damage caused by processing where BLOCQ has not complied with its obligations under the GDPR specifically applicable to processors, or has acted in disregard of, or contrary to, lawfully issued instructions of the controller.
BLOCQ is exempt from liability insofar as BLOCQ proves that it is not in any way responsible for the event giving rise to the damage.
Insofar as one party is held liable by a data subject for compensation for damage caused in whole or in part by the respective other party, an internal settlement takes place between the parties in accordance with the respective share of responsibility and causation. The controller indemnifies BLOCQ against claims insofar as these are based on an unlawful instruction, a missing legal basis, insufficient data subject information, impermissible content, impermissible module use or any other breach of duty by the controller. This does not apply insofar as BLOCQ is itself responsible for the claim.
Section 13 Final Provisions
This DPA forms part of the General Terms and Conditions and becomes effective upon use of the BLOCQ Publishing Service.
Amendments and supplements to this agreement must be made in writing. This also applies to the waiver of this written form requirement.
German law applies. The place of jurisdiction is the registered office of the processor.
Contact
If you have any questions about the Data Processing Agreement or the exercise of your rights, please contact us at:
As of
June 2026
Florian Zandberg
Am Bahnhof 8A, 21739 Dollern
datenschutz@blocq.io
Annex 1 – Role Delineation
(1) BLOCQ processes personal data as a processor insofar as BLOCQ processes personal data on documented instructions of the controller within the scope of the AppBuilder mode, the development database, the Publishing Service, the Custom App Development Service or the AI/Magic Setup functions triggered by the controller.
(2) BLOCQ processes personal data as its own controller insofar as the processing takes place for the establishment, performance or billing of the contract with the user, for licence management, fraud and abuse prevention, IT security, logging, support handling, enforcement of its own rights or fulfilment of statutory obligations. These processing operations are not the subject of this DPA.
(3) The controller remains solely responsible for the published app, its content, legal bases, data subject information, legal notice (Impressum), privacy policy, consents, Firebase configuration and the processing of personal data of its end users.
(4) Apple, Google and other platform operators generally act, with regard to the operation of their app stores, developer accounts, payment processing and platform policies, as independent controllers or in accordance with their own contractual terms. A classification as a sub-processor applies only insofar as BLOCQ actually engages them as a sub-processor for processing on behalf in the specific publishing operation.
Annex 2 – Sub-processors and Third-country Transfers
The following overview contains the sub-processors engaged by BLOCQ as well as other transfer-relevant recipients. Insofar as a provider does not act as a sub-processor but operates as an independent platform operator or in accordance with its own contractual terms, this is to be taken into account accordingly in Annex 1. BLOCQ informs the controller of any intended addition or replacement of a sub-processor at least 14 days in advance. The controller may object for an important data protection reason. BLOCQ ensures that sub-processors are imposed essentially the same data protection obligations as those incumbent on BLOCQ towards the controller. BLOCQ remains responsible to the controller for the fulfilment of the obligations of the sub-processors.
A transfer of personal data to a third country or to an international organisation only takes place insofar as this is necessary for the provision of the service and the requirements of Art. 44 et seq. GDPR are met.
Insofar as an adequacy decision of the European Commission exists for a recipient, in particular a valid certification under the EU-US Data Privacy Framework, BLOCQ bases the transfer primarily on Art. 45 GDPR.
Insofar as no adequacy decision exists or it is not applicable, BLOCQ bases the transfer on appropriate safeguards pursuant to Art. 46 GDPR, in particular on the respectively applicable EU Standard Contractual Clauses. In this case, BLOCQ assesses, where necessary, whether additional technical, organisational or contractual measures are required in order to ensure an adequate level of protection.
BLOCQ will carry out third-country transfers only to the extent necessary for the respective purpose. In the case of AI and Magic Setup functions, only the content entered by the controller or publicly accessible via the source provided by the controller is transmitted to the AI service provider. IP address, device identifier or other technical end-device data of the controller is not specifically transmitted to the AI service provider as user data, insofar as this is technically avoidable.
The controller is informed that third-country transfer mechanisms may be subject to changes due to case law, supervisory authorities, legislation or provider certifications. BLOCQ will communicate material changes that affect the lawfulness of the data processing and will make the necessary adjustments.
Annex 3 – Special TOM for Publishing and Signing Keys
BLOCQ processes Apple signing files, Apple API keys, .p8 files, .p12 certificates, provisioning profiles, Google Play service account files, Firebase configuration files and comparable publishing or signing keys exclusively for the creation, signing, publication and updating of the app in the name of the controller.
The transmission of such keys to BLOCQ takes place in encrypted form. BLOCQ caches publishing and signing keys only in encrypted form. Decryption takes place exclusively on the builder system designated for this purpose and only for the duration required to carry out the specific build, signing, upload or update process.
Access to publishing and signing keys is restricted to persons and systems that absolutely require this access for the provision of the service. Access takes place on a need-to-know basis. Administrative access must be appropriately protected, in particular by strong authentication, role-based permissions and technical access restrictions.
BLOCQ logs security-relevant accesses and processing operations relating to publishing and signing keys, insofar as this is necessary for traceability, abuse prevention and security control. The contents of the keys themselves are not stored in logs.
Publishing and signing keys are not stored in unencrypted backups. Insofar as backups are technically unavoidable, these are encrypted, access-restricted and handled in accordance with a documented retention and deletion concept.
After completion of the build or publishing process, temporary copies of the publishing and signing keys are deleted, insofar as the controller has not expressly chosen retention for later updates. Incomplete publishing orders are cleaned up no later than after 14 days.
If the controller chooses to retain build and signing artefacts for later updates, this takes place exclusively for the purpose of future build, publishing and update services. The controller may request deletion at any time; thereafter, corresponding build, publishing and update services are only possible if the controller provides the required keys again.
In the event of a suspected compromise of publishing or signing keys, BLOCQ informs the controller without undue delay. BLOCQ supports the controller, to a reasonable extent, in blocking, rotating, renewing or removing the affected keys, certificates or service accounts.
As of: 30 June 2026