Data Processing Agreement

This is our Data Processing Agreement

Please read this legal document carefully. We trust you will not find unexpected surprises – TIXATOR does not share data with anybody but technical services used in our operations. No reselling, no data sharing, no tracking.

─ CEO, PLANIS E3, Creators of TIXATOR

Effective date: 2025-11-11
Version: 1.0

Data Processing Agreement (DPA) under Art. 28 GDPR — English Translation

Between

Controller (“Customer”)
and
PLANIS E3 Empathy Engineering GmbH, Am Kiel‑Kanal 2, 24106 Kiel, Germany, HRB 23630 (Local Court Kiel), VAT ID DE346711843, email: hallo@planis.de — Processor (“PLANIS”).

§1 Subject, Term, Place of Processing

(1) Subject. Processing of personal data for providing TIXATOR (Shopify event‑ticketing app including scanner app and web dashboard).
(2) Term. Duration of the main agreement (Terms of Service) plus deletion/return periods under §10.
(3) Locations. EU/EEA and, for sub‑processors, third countries with appropriate safeguards per §8.

§2 Instructions

(1) PLANIS processes data solely on documented instructions from the Customer, Art. 28(3)(a) GDPR. Instructions are given via app settings, admin UI, API configurations, or in writing by email to support@tixator.com.
(2) PLANIS will refuse unclear or unlawful instructions and will document instruction changes.

§3 Confidentiality

(1) PLANIS binds all personnel to confidentiality.
(2) Confidential information is disclosed only if legally required or necessary to perform this DPA.

§4 Security of Processing

(1) PLANIS implements appropriate technical and organisational measures (TOMs) under Art. 32 GDPR; see Annex 2.
(2) TOMs may be adapted to technical progress provided the protection level is not reduced.

§5 Assistance

PLANIS supports the Customer with:
a) data subject rights (access, rectification, erasure, restriction, portability, objection),
b) security measures,
c) reporting and handling personal data breaches,
d) DPIAs and consultations where appropriate. Costs are time‑based unless PLANIS caused the issue.

§6 Personal Data Breaches

(1) PLANIS notifies the Customer without undue delay and no later than [BreachNotifyHours] hours after becoming aware of a breach, to [SecurityEmail] or the Customer’s registered contact.
(2) The notice includes: nature of the breach, data categories affected, likely consequences, and measures taken or proposed; PLANIS will provide updates as information becomes available.

§7 Sub‑processing

(1) General authorisation. PLANIS may engage sub‑processors. By now we don’t have sub-processors. If we do you will finde them at https://tixator.com/legal/subprocessors
(2) PLANIS will announce changes with reasonable notice; the Customer may object for good cause. If no solution is found, the Customer has a special termination right for the affected service.
(3) PLANIS contracts sub‑processors with obligations at least equivalent to this DPA, including TOMs and, where relevant, SCCs under §8.

§8 Third‑Country Transfers

(1) For third‑country transfers PLANIS ensures appropriate safeguards in advance.
(2) The EU Standard Contractual Clauses (SCC) 2021/914 apply automatically whenever personal data is transferred to a third‑country importer:

Module 2 (Controller→Processor) and Module 3 (Processor→Processor), with [SCC_GoverningLaw] as governing law and [SupervisoryAuthority] as competent authority. Annex mappings are set out in Annex 1 and 2.

§9 Audits

(1) Upon request PLANIS provides reasonable information, including security‑concept excerpts, logs, and independent reports where available.
(2) Audits: once per 12 months with 365 days notice (remote or on‑site). Confidentiality, security, and operations must be preserved; business hours apply. The Customer bears audit costs unless material breaches are found.

§10 Deletion and Return

(1) Upon termination or instruction PLANIS deletes or returns all personal data.
(2) PLANIS provides available export functions for 24 days after termination; thereafter data is deleted or anonymised unless statutory retention applies.
(3) Backups are overwritten in routine cycles.

§11 Liability and Order of Precedence

(1) Liability follows the main agreement; mandatory GDPR provisions remain unaffected.
(2) If there is a conflict: (a) SCCs (if applicable), (b) this DPA, (c) main agreement/ToS.

§12 Miscellaneous

(1) Assignment requires consent; PLANIS may use affiliates and qualified sub‑processors.

(2) Governing law / venue: German law; venue Kiel where permitted..