Causa Prima · Legal

Data Processing Agreement

Last updated: 2026-06-15

This Data Processing Agreement ("DPA") forms part of the agreement between the Customer identified in the underlying Terms of Service or Design Partner Agreement (the "Principal Agreement") and Causa Prima Germany GmbH, registered with the commercial register of the Local Court (Amtsgericht) of Berlin-Charlottenburg under HRB 286382 B, with registered seat in Berlin and business address at Leopoldstraße 31, 80802 München, Germany ("Causa Prima"), and governs the Processing of Personal Data by Causa Prima on behalf of the Customer in connection with the Services. Where the Principal Agreement is the Design Partner Agreement, references to the "Customer" in this DPA include the Design Partner.

If there is any conflict between this DPA and the Principal Agreement on a matter relating to Personal Data, this DPA prevails.

1. Definitions

Capitalised terms not defined here have the meaning given in the Principal Agreement or in the GDPR.

  • "GDPR" means Regulation (EU) 2016/679.
  • "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject", "Personal Data Breach" and "Supervisory Authority" have the meanings given in the GDPR.
  • "Customer Personal Data" means Personal Data that Causa Prima Processes on behalf of the Customer under the Principal Agreement.
  • "Services" means the services Causa Prima provides to the Customer under the Principal Agreement.
  • "TOMs" means the technical and organisational measures described in Annex 1.
  • "Sub-processor List" means the public list of authorised Sub-processors maintained at https://causaprima.ai/sub-processors (or such other URL notified to the Customer).

2. Roles and scope

2.1 The Customer is the Controller of the Customer Personal Data. Causa Prima is the Processor.

2.2 This DPA applies to all Processing of Customer Personal Data carried out by Causa Prima in the course of providing the Services.

2.3 For the purposes of Article 28(3) GDPR, the parties agree:

(a) Subject-matter: the provision of the Services by Causa Prima to the Customer under the Principal Agreement.

(b) Duration: the term of the Principal Agreement, plus any post-termination return or deletion period under clause 13.

(c) Nature and purpose of Processing: hosting, processing and analysis of Customer Personal Data within the Services to deliver the agentic finance workflows ordered by the Customer.

(d) Categories of Data Subjects: the Customer's personnel (such as employees, contractors and authorised users), and any other natural persons whose Personal Data the Customer or its authorised users input into the Services (such as the Customer's end-users, customers, or suppliers).

(e) Categories of Personal Data: identification data (such as name, email and role), business contact data, and transactional or financial metadata that the Customer or its authorised users input into the Services. No special categories of Personal Data under Article 9 GDPR and no criminal-offence data under Article 10 GDPR are intentionally Processed.

2.4 Each party will comply with its obligations under applicable data protection law, including the GDPR and the German Federal Data Protection Act (BDSG).

3. Customer instructions

3.1 Causa Prima will Process Customer Personal Data only on documented instructions from the Customer, including with regard to international transfers, unless required to do otherwise by EU or Member State law. The Principal Agreement, this DPA and the Customer's use of the Services constitute the Customer's documented instructions.

3.2 Causa Prima will inform the Customer without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

4. Confidentiality

Causa Prima ensures that personnel authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations and have received appropriate training on their data protection responsibilities.

5. Security

5.1 Causa Prima will implement and maintain the TOMs described in Annex 1, having regard to the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the risk to Data Subjects.

5.2 Causa Prima may update the TOMs from time to time, provided the overall level of security is not materially reduced.

6. Sub-processors

6.1 The Customer grants Causa Prima a general authorisation to engage Sub-processors to Process Customer Personal Data, subject to this clause 6.

6.2 The Sub-processors authorised as of the date of this DPA are listed on the Sub-processor List.

6.3 Causa Prima will publish any intended addition or replacement of a Sub-processor on the Sub-processor List at least 15 days in advance. The Customer may subscribe to updates on that page. The Customer may object to a new Sub-processor on reasonable data-protection grounds in writing within that 15-day period. If the parties cannot resolve the objection in good faith, the Customer may terminate the affected Services on written notice, as its sole remedy.

6.4 Causa Prima will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible to the Customer for the performance of each Sub-processor.

7. Data Subject rights

Causa Prima will, taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR. Causa Prima may charge the Customer reasonable costs for assistance that goes beyond the standard self-service functionality of the Services.

8. Personal Data Breach

8.1 Causa Prima will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data.

8.2 The notification will include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed.

8.3 Causa Prima will cooperate with the Customer and take reasonable steps to mitigate and remediate the breach.

9. Data protection impact assessments and prior consultation

Causa Prima will provide reasonable assistance to the Customer with any data protection impact assessment and prior consultation with Supervisory Authorities, in each case solely in relation to the Processing under this DPA and taking into account the information available to Causa Prima.

10. International transfers

10.1 Causa Prima may transfer Customer Personal Data outside the European Economic Area (EEA) where necessary to provide the Services, including by engaging Sub-processors located outside the EEA.

10.2 Where such a transfer requires a transfer mechanism under Chapter V of the GDPR, the parties will rely on:

(a) an adequacy decision of the European Commission, where applicable; or

(b) the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), in the module appropriate to the parties' roles for the relevant transfer (typically Module 2 (Controller-to-Processor) where the Customer acts as Controller, or Module 3 (Processor-to-Processor) where the Customer acts as Processor); or

(c) the EU-US Data Privacy Framework, where the recipient is certified.

10.3 The applicable transfer mechanism for each Sub-processor is set out in that Sub-processor's own data processing agreement and transfer documentation, which is linked from the Sub-processor List.

11. Government access requests

If Causa Prima receives a legally binding request from a public authority for access to Customer Personal Data, Causa Prima will (a) notify the Customer of the request without undue delay, unless legally prohibited from doing so; (b) where notification is prohibited, use reasonable efforts to inform the requesting authority that the request should be directed to the Customer; (c) not voluntarily disclose Customer Personal Data to any public authority; and (d) where lawful and reasonable, challenge any request that is manifestly disproportionate or unlawful.

12. Audit and information rights

12.1 Causa Prima will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. Where Causa Prima maintains a recognised industry certification or third-party audit report, the Customer will accept that report in lieu of an on-site audit. The Customer may request an on-site audit no more than once in any 12-month period, on 60 days' written notice and at the Customer's cost, to be conducted in a manner that does not unreasonably disrupt Causa Prima's operations.

12.2 Causa Prima maintains records of Processing activities concerning Customer Personal Data as required by Article 30(2) GDPR and will make them available to the Supervisory Authority on request.

13. Return and deletion

13.1 On termination or expiry of the Principal Agreement, Causa Prima will, at the Customer's choice, delete or return all Customer Personal Data, and delete existing copies, within 30 days, unless EU or Member State law requires storage of the Personal Data.

13.2 Backups containing Customer Personal Data will be deleted in accordance with Causa Prima's standard backup retention cycle, after which they will be inaccessible.

14. Liability

14.1 The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement. Statutory liability under the GDPR (including administrative fines imposed on a party in its own right) is not excluded or limited where such exclusion or limitation is not permitted by law.

15. Term and miscellaneous

15.1 This DPA enters into force on the effective date of the Principal Agreement and remains in force for as long as Causa Prima Processes Customer Personal Data on behalf of the Customer under the Principal Agreement.

15.2 This DPA is governed by the laws of the Federal Republic of Germany, excluding its conflict-of-laws rules and the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction for all disputes arising out of or in connection with this DPA is Berlin, Germany, subject to mandatory rules of consumer or data protection law.

15.3 If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force, and the parties will replace the invalid provision with a valid one that comes as close as possible to the original intent.

15.4 This DPA is concluded in English and German. In case of any inconsistency between the two versions, the English version prevails.

Annex 1 — Technical and Organisational Measures (TOMs)

The Technical and Organisational Measures below are embedded in and form an integral part of this DPA (they are no longer maintained as a separately hosted document). The version in force when the Customer accepts the Principal Agreement applies; Causa Prima may update them from time to time per clause 5.2, provided the overall level of security is not materially reduced.

These TOMs describe the technical and organisational measures implemented by Causa Prima Germany GmbH ("Causa Prima") under Article 32 GDPR to ensure a level of security appropriate to the risk of processing personal data on behalf of its customers ("Controllers").

1. Confidentiality (Art. 32(1)(b) GDPR)

1.1 Physical access control. Causa Prima does not operate its own data centres; all production data is hosted with sub-processors operating certified data centres (ISO 27001 and/or SOC 2 Type II) — see Annex 2. Offices and remote workstations process only the minimum personal data necessary for development, support and administration; office access is restricted to staff and authorised visitors. Production systems are not accessible from office networks except through the authenticated channels in 1.2.

1.2 Logical access control. Access to production systems requires individual user accounts (shared accounts prohibited) and multi-factor authentication (MFA); single sign-on is used for internal tooling where supported. Passwords are stored as salted hashes; production secrets live in a dedicated secrets manager, never in source code, tickets or chat. Access from personal devices is restricted; staff devices are managed and require disk encryption and screen lock.

1.3 Authorisation control (least privilege). Access to personal data follows least privilege; role-based access control (RBAC) governs production access, reviewed at least quarterly and immediately on role change or departure. Production write access is restricted to a defined subset of engineering staff. Administrative actions on production systems are logged (see 2.2).

1.4 Pseudonymisation and encryption (Art. 32(1)(a) GDPR). Personal data at rest in production databases and object storage is encrypted using AES-256 (or stronger) provided by the hosting sub-processor. Personal data in transit is encrypted using TLS 1.2+ between clients and Causa Prima services and between Causa Prima and sub-processors. Backups are encrypted at rest. Where reasonably possible, identifiers are pseudonymised in analytical and logging pipelines.

1.5 Separation control (multi-tenancy). Customer data is logically separated by tenant identifiers in shared production databases; access paths enforce tenant scoping. Production, staging and development environments are separated; production personal data is not used in development or testing except in pseudonymised or anonymised form.

2. Integrity (Art. 32(1)(b) GDPR)

2.1 Transfer control. All personal data transfers between Controllers, end users and Causa Prima occur over TLS 1.2+; transfers to sub-processors occur over TLS or equivalent encrypted channels. Transfers to sub-processors outside the EEA are governed by the safeguards in §10 of this DPA (SCCs, adequacy decisions, or the EU–US Data Privacy Framework).

2.2 Input control (audit logs). Security- and data-access-relevant application and infrastructure events are logged with user identifier, action, timestamp and, where applicable, affected resource. Logs are retained for at least 12 months, stored separately from the systems that generate them, and reviewed in response to incidents and on a regular basis.

3. Availability and resilience (Art. 32(1)(b) and (c) GDPR)

3.1 Availability. Production services run on cloud infrastructure with built-in redundancy across availability zones in the primary processing region; capacity is monitored and alerted on, with degradations paging the on-call engineer.

3.2 Backups. Production databases are backed up at least daily, with backups retained for at least 30 days, encrypted (see 1.4) and stored separately from the primary system. Backup restoration is tested at least annually.

3.3 Disaster recovery / business continuity. Causa Prima maintains a documented disaster-recovery procedure covering loss of the primary processing region, loss of key sub-processors, and major incidents affecting staff. Recovery objectives: RTO 24 hours, RPO 24 hours (targets, not contractual SLAs).

4. Procedures for regular review, assessment and evaluation (Art. 32(1)(d) GDPR)

  • Causa Prima maintains an internal information-security policy reviewed at least annually or on material change.
  • Staff receive security and data-protection training on onboarding and at least annually thereafter.
  • All staff and contractors with access to personal data are bound by written confidentiality obligations that survive termination.
  • Causa Prima maintains a documented incident-response procedure; personal-data breaches are notified to affected Controllers without undue delay and in any event within 72 hours of becoming aware (per §8 of this DPA).
  • Sub-processors are bound by written contracts no less protective than this DPA and reviewed before engagement and on material change.
  • Vulnerabilities are tracked, prioritised by severity, and remediated within timeframes appropriate to the risk.

5. Order / instruction control (Art. 28, 29, 32(4) GDPR)

  • Causa Prima processes personal data only on documented instructions from the Controller, as set out in this DPA.
  • Staff with access to personal data are instructed in writing on the scope of permissible processing and on confidentiality.
  • Onward instructions to sub-processors mirror the Controller's instructions to Causa Prima.

Annex 2 — Sub-processors

Maintained as the single source-of-truth list at https://causaprima.ai/sub-processors (the Byll and Scribo surfaces link to this same page). The list at that URL as of the date the Customer accepts the Principal Agreement is incorporated by reference. Updates are governed by clause 6.