Data Processing Agreement

Data Processing Agreement - ExValu

Jump to: About this DPA DPA text Annex I - Processing details Annex II - Security measures Annex III - Sub-processors Signature

Overview

About This Document

This page explains ExValu's data processing obligations and provides the full text of ExValu's standard Data Processing Agreement (DPA) for B2B clients. If you are a business client whose data ExValu processes during an engagement, you need to sign this DPA before processing begins.

Important - who this document is for: This DPA governs the relationship between ExValu (as a data processor) and business clients (as data controllers) when ExValu processes personal data belonging to the client's business - for example, the client's customer records, employee data, or CRM contacts - during a consulting engagement. It is not a document for website visitors. If you are a website visitor looking for information about how ExValu handles your personal data, see the Privacy Policy.

Two different data relationships

ExValu operates in two distinct data roles depending on the context:

ExValu as Data Controller

Website visitors and prospects

When you visit exvalu.com, book a call, or enquire about services, ExValu is the data controller. ExValu decides why and how your contact data is processed. This relationship is governed by the Privacy Policy - not this DPA.

ExValu as Data Processor - THIS DPA applies

Business clients during engagements

When ExValu processes personal data belonging to a client's business - their customers, employees, or contacts - during delivery of the Exit Readiness Program or other services, ExValu acts as a data processor following the client's instructions. This relationship requires a signed DPA under GDPR Article 28.

When you need to sign this DPA

A signed DPA between ExValu and your organisation is required before ExValu begins processing any personal data that belongs to your business. This includes:

Knowledge capture sessions involving recordings of your employees or team members
Access to your CRM, customer database, or contact lists for system configuration
Building or configuring automated email sequences using your contact data
Creating knowledge bases or SOP libraries that contain information about identified individuals
Any other processing of personal data on your behalf as part of the Exit Readiness Program

The DPA is included as a standard annex to all ExValu engagement proposals. If you have not yet received a signed DPA and believe you should have one, contact [email protected].

For M&A due diligence: If you are an M&A advisor, PE firm, or buyer conducting due diligence on an ExValu client, this DPA and the annexes below demonstrate ExValu's GDPR Article 28 compliance framework. A signed copy of the DPA specific to a client engagement is available on request with the client's consent.

The agreement

Data Processing Agreement - Full Text

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: The business client named in the ExValu engagement proposal ("Controller", "you", "Client")

Data Processor: ExValu, operated by Karl zu Ortenburg, Gstaller Weg 36, 82166 Grafelfing, Federal Republic of Germany ("ExValu", "Processor", "we")

This DPA forms part of and supplements the ExValu Terms of Service and any signed engagement proposal or Statement of Work between the parties (collectively the "Agreement"). Capitalised terms not defined here have the meaning given in the Terms of Service.

Article 1 - Purpose and Scope

1.1 This DPA governs the processing of personal data by ExValu on behalf of the Controller in connection with the services described in the Agreement, specifically where ExValu processes personal data belonging to the Controller's business (including Controller's customers, employees, prospects, and other data subjects).

1.2 This DPA implements the requirements of GDPR Article 28 and constitutes the written contract required between controller and processor under EU data protection law. The Annexes to this DPA form part of and are incorporated into it.

1.3 Processing details, including the subject matter, duration, nature, purposes, types of personal data, and categories of data subjects, are set out in Annex I. Technical and organisational security measures are set out in Annex II. Authorised sub-processors are listed in Annex III.

Article 2 - Instructions and Processing Boundaries

2.1 ExValu shall process personal data only on documented instructions from the Controller, including as set out in this DPA, the Agreement, and any written instructions provided during the engagement. ExValu shall not process personal data for any other purpose.

2.2 If ExValu is required by EU or German law to process personal data beyond the Controller's instructions, ExValu shall inform the Controller before such processing unless the law prohibits such notification on grounds of public interest.

2.3 ExValu shall immediately notify the Controller if, in ExValu's opinion, an instruction from the Controller violates applicable data protection law. In such cases, ExValu is entitled to suspend the relevant processing until the Controller provides clarified instructions.

2.4 The Controller remains the data controller for all personal data it provides to ExValu and retains full responsibility for the lawfulness of processing, the lawfulness of the instructions given to ExValu, and for ensuring data subjects have been appropriately informed about the processing.

Article 3 - Confidentiality

3.1 ExValu shall ensure that all personnel authorised to process personal data under this DPA are subject to a binding duty of confidentiality with respect to that data, either by statute or by contractual obligation.

3.2 ExValu shall limit access to personal data to those personnel who need access to perform the services under the Agreement, applying the principle of least privilege.

3.3 The confidentiality obligation survives termination of this DPA and the Agreement.

Article 4 - Security of Processing

4.1 ExValu shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons, as required by GDPR Article 32.

4.2 The specific technical and organisational measures ExValu implements are described in Annex II. ExValu shall review and update these measures as necessary to maintain appropriate security.

4.3 ExValu shall take appropriate steps to ensure that any natural person acting under its authority who has access to personal data does not process it except on the Controller's instructions.

Article 5 - Sub-processors

5.1 The Controller grants ExValu general written authorisation to engage the sub-processors listed in Annex III for the processing activities described in this DPA.

5.2 ExValu shall notify the Controller of any intended additions or replacements to the sub-processors listed in Annex III with at least 14 days written notice prior to engaging the new sub-processor. The Controller may object to a new sub-processor within that notice period on reasonable data protection grounds by written notice to ExValu.

5.3 If the Controller objects and the parties cannot resolve the objection within 14 days, the Controller may terminate the affected service on written notice without penalty, provided the objection relates specifically to the new sub-processor and not to the services generally.

5.4 Where ExValu engages a sub-processor, it shall impose equivalent data protection obligations on that sub-processor by written contract, including all requirements of GDPR Article 28(3). ExValu remains fully liable to the Controller for the performance of the sub-processor's obligations under this DPA.

5.5 ExValu shall make the list of current sub-processors available to the Controller on request. The current list is published in Annex III of this DPA.

Article 6 - Data Subject Rights Assistance

6.1 ExValu shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures where possible in fulfilling the Controller's obligation to respond to data subject rights requests under GDPR Chapter III (including rights of access, rectification, erasure, restriction, portability, and objection).

6.2 Upon receiving a data subject rights request directly from a data subject that relates to personal data processed under this DPA, ExValu shall promptly forward the request to the Controller and shall not respond to the data subject directly unless instructed to do so by the Controller or required to by applicable law.

6.3 ExValu shall assist the Controller in ensuring compliance with its obligations regarding security of processing (GDPR Article 32), notification of personal data breaches (Articles 33-34), and, where applicable, data protection impact assessments (Article 35) and prior consultation with supervisory authorities (Article 36).

Article 7 - Data Breach Notification

7.1 ExValu shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware, of any personal data breach affecting personal data processed under this DPA.

7.2 The breach notification shall include, to the extent available at the time of notification: a description of the nature of the breach including the categories and approximate number of data subjects and personal data records affected; the contact details of the ExValu privacy contact; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects.

7.3 Where all required information cannot be provided at the same time, ExValu may provide it in phases without undue further delay.

7.4 ExValu shall maintain records of all personal data breaches, including those that do not require notification to supervisory authorities, in accordance with GDPR Article 33(5).

Article 8 - Audit Rights

8.1 ExValu shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and GDPR Article 28, and shall allow and contribute to audits and inspections conducted by the Controller or an auditor appointed by the Controller.

8.2 Audits shall be conducted with reasonable prior written notice (at least 14 days unless urgency requires otherwise), during normal business hours, and in a manner that minimises disruption to ExValu's operations.

8.3 The parties shall bear their own costs for audits unless the audit reveals material non-compliance by ExValu, in which case ExValu shall bear the reasonable costs of the audit.

8.4 Where the Controller requests audit information that ExValu provides by way of third-party certification, audit reports, or security attestations, these shall satisfy the audit right to the extent they cover the relevant processing activities.

Article 9 - International Data Transfers

9.1 ExValu shall not transfer personal data processed under this DPA to a country or international organisation outside the EU/EEA without the Controller's prior written authorisation and without ensuring appropriate safeguards under GDPR Chapter V are in place.

9.2 Where sub-processors listed in Annex III are located outside the EU/EEA, ExValu has implemented Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) or relies on adequacy decisions (including the EU-US Data Privacy Framework where applicable). Details of transfer mechanisms are included in Annex III.

9.3 Where the Controller requests details of the transfer mechanisms in place for a specific sub-processor, ExValu shall provide this information within 14 days.

Article 10 - Return and Deletion of Data

10.1 Upon termination or expiry of the Agreement, or upon the Controller's request at any time, ExValu shall, at the Controller's choice: return all personal data to the Controller in a commonly used, machine-readable format; or securely delete and destroy all personal data processed under this DPA.

10.2 ExValu shall complete the return or deletion within 30 days of the relevant event and shall provide the Controller with written confirmation of completion.

10.3 ExValu may retain personal data beyond this period only where required by applicable EU or German law, and only to the minimum extent required. ExValu shall notify the Controller of any such retention obligation at the time of the deletion request, specifying the legal basis and retention period.

10.4 This Article survives termination of the Agreement.

Article 11 - Liability and Indemnity

11.1 Each party shall be liable to the other and to data subjects for damage caused by processing that violates GDPR in accordance with GDPR Articles 82 and 83 and applicable German law.

11.2 ExValu shall be exempt from liability under GDPR Article 82(3) if it demonstrates that it is not in any way responsible for the event giving rise to the damage, including where the damage results from the Controller's instructions or the Controller's failure to fulfil its own GDPR obligations.

11.3 Liability between the parties for breach of this DPA is subject to the limitations set out in the Terms of Service, except where GDPR mandatory provisions apply.

Article 12 - Duration and Termination

12.1 This DPA takes effect on the date it is signed by both parties and remains in force for as long as ExValu processes personal data on behalf of the Controller under the Agreement.

12.2 Obligations under Articles 3 (Confidentiality), 10 (Return and Deletion), and 11 (Liability) survive termination.

12.3 In the event of a conflict between this DPA and the Agreement, this DPA shall prevail to the extent the conflict relates to data protection obligations.

Article 13 - Governing Law and Disputes

13.1 This DPA is governed by the laws of the Federal Republic of Germany. The parties submit to the exclusive jurisdiction of the courts of Munich, Germany for all disputes arising under this DPA, subject to mandatory provisions of applicable data protection law.

13.2 Nothing in this DPA restricts a data subject's right to lodge a complaint with a supervisory authority or to seek judicial remedy against either party in accordance with GDPR Articles 77 and 79.

Annex I - Processing Details

Required under GDPR Article 28(3) - subject matter, duration, nature, purpose, data types, and data subjects

A. Parties

Data Controller	As named in the ExValu engagement proposal
Data Processor	ExValu, Karl zu Ortenburg, Gstaller Weg 36, 82166 Grafelfing, Federal Republic of Germany. Contact: [email protected]

B. Subject matter and duration

ExValu processes personal data on behalf of the Controller for the duration of the engagement as set out in the Agreement, plus any retention period required by law after engagement close. The subject matter is the delivery of the Exit Readiness Program and associated services including AI system configuration, process documentation, and knowledge capture.

C. Nature and purpose of processing

Processing activity	Purpose
Knowledge capture sessions	Recording and transcribing subject matter expertise of the Controller's personnel to build documented process libraries and Company Brain systems
CRM and workflow configuration	Accessing and configuring the Controller's CRM (GoHighLevel or equivalent) including contact records, pipeline stages, and automated sequences
Email sequence implementation	Building and testing automated email sequences using the Controller's contact database, including segmentation and personalisation fields
SOP and documentation creation	Creating documented processes, decision frameworks, and operational guides that may reference identified individuals by role or name
Exit Readiness Dossier compilation	Assembling documented evidence of operational systems, which may include references to the Controller's team, clients, and processes

D. Types of personal data processed

Employee and team member data: names, roles, contact details, expertise areas, voice/video recordings
Customer and prospect data: names, email addresses, phone numbers, company details, interaction history
Business contact data: names, email addresses, phone numbers of suppliers, partners, and third parties
Operational data: process notes, decision records, and documentation that may reference identified individuals

Special category data is not anticipated. If any processing would involve special category data, the parties will agree an amendment to this Annex before such processing begins.

E. Categories of data subjects

The Controller's employees, contractors, and team members
The Controller's customers and prospects
The Controller's suppliers and business contacts
Former employees or clients referenced in historical process documentation

F. Retention during engagement

ExValu retains personal data processed under this DPA only for the duration necessary to deliver the agreed services. Session recordings are retained for a maximum of 2 years or until engagement close, whichever is sooner. All other personal data is returned or deleted within 30 days of engagement close, subject to any legal retention requirements notified to the Controller.

Annex II - Technical and Organisational Security Measures

Required under GDPR Articles 28(3)(c) and 32

ExValu implements the following technical and organisational measures (TOMs) to ensure the security of personal data processed under this DPA. These measures represent the minimum standard. ExValu reviews and updates them periodically.

Access control and authentication

Two-factor authentication (2FA) required for all accounts with access to personal data
Role-based access controls: access limited to personnel with a documented need
Principle of least privilege applied to all system permissions
Immediate access revocation procedures on personnel departure

Encryption and data security

SSL/TLS encryption for all personal data in transit
AES-256 encryption for personal data at rest in cloud storage
Encrypted backups stored in geographically separate locations
Secure deletion procedures for all personal data (overwrite, not just marking deleted)

System and infrastructure security

Firewalls and network-level intrusion detection on all systems handling personal data
Regular security updates and patch management
Vulnerability assessments on an ongoing basis
All sub-processors selected based on demonstrated security certifications (SOC 2, ISO 27001, or equivalent)

Organisational measures

All personnel with access to personal data bound by confidentiality obligations
Annual data protection awareness training
Documented incident response procedure with 48-hour breach notification target for the Controller
Regular review and audit of sub-processor compliance
Data minimisation applied at collection: only data necessary for the defined purpose is processed

Physical security

All processing occurs on secured, encrypted devices
No personal data is processed on unsecured or public networks
Physical access to devices with personal data is controlled and limited to authorised personnel

Recording and knowledge capture sessions

Sessions recorded only with explicit prior consent of all participants
Recordings stored in access-controlled cloud environments with 2FA protection
Recording links shared only with authorised parties via encrypted channels
Recordings deleted from ExValu systems within 30 days of engagement close or on Controller request

III

Annex III - Authorised Sub-processors

Required under GDPR Article 28(2) and (4) - list current as of April 2026

The Controller grants general written authorisation to engage the following sub-processors. ExValu will notify the Controller of any changes with at least 14 days advance notice. The Controller may object to any new sub-processor within the notice period on reasonable data protection grounds.

Sub-processor	Purpose	Location	Transfer mechanism
GoHighLevel (GHL)	CRM, pipeline management, email and SMS automation, workflow configuration	USA / EU data centres	Standard Contractual Clauses (SCCs); EU data centre used where available
Google Workspace	Email, calendar, document storage for engagement materials	EU data centres	EU adequacy; SCCs for any US processing
Zoom / Google Meet	Video calls and knowledge capture sessions (where recordings are taken)	USA / EU	SCCs; EU-US Data Privacy Framework (DPF) where applicable
Bunny.net	Font delivery (no personal data retained per Bunny.net privacy policy)	Netherlands (EU)	EU-hosted; no transfer required
Google Drive / SharePoint	Exit Readiness Dossier storage and collaboration (where used by the Controller)	EU data centres	EU adequacy / SCCs

Sub-processors are only engaged where necessary for the services agreed in the specific engagement. Not all sub-processors will be used in every engagement. ExValu will notify the Controller of which sub-processors are relevant at the start of each engagement.

Execution

Signature and Execution

This DPA is incorporated by reference into the ExValu engagement proposal. By signing the engagement proposal, both parties agree to be bound by this DPA and its Annexes. Where a separate signed DPA is required, the signature block below applies.

For engagement clients: You do not need to sign this document separately if you have already signed an ExValu engagement proposal that references this DPA. If your organisation requires a separately executed DPA for compliance purposes, contact [email protected] to arrange execution.

Data Controller

Name: ______________________________

Title: ______________________________

Organisation: ______________________________

Date: ______________________________

Email: ______________________________

Signature of authorised representative

Data Processor - ExValu

Name: Karl zu Ortenburg

Title: Founder, ExValu

Organisation: ExValu

Date: ______________________________

Email: [email protected]

Signature of Karl zu Ortenburg

This DPA may be executed electronically. An electronic signature or email confirmation of acceptance by an authorised representative of the Controller constitutes a valid execution of this DPA for the purposes of GDPR Article 28(3).

DPA Enquiries

For questions about this DPA, to request a separately executed copy, to object to a new sub-processor, or to exercise audit rights, contact:

ExValu
Karl zu Ortenburg
Gstaller Weg 36, 82166 Grafelfing, Federal Republic of Germany
[email protected] | +49 (0) 89 83 999 089

Version history: v1.0 April 1, 2026: Complete rebuild. Previous document titled "Data Processing Agreement" was incorrectly structured as a privacy notice to website visitors. This version is a GDPR Article 28-compliant B2B DPA with all eight mandatory clauses, three required Annexes (processing details, security measures, sub-processor list), and a correct controller-processor role allocation. Brand updated from AIHub3 to ExValu throughout.

Legal review note: This DPA has been prepared by ExValu to comply with GDPR Article 28 requirements. It has not been formally reviewed by a qualified German data protection lawyer. That review is pending and this note will be removed on completion. ExValu recommends that client organisations have their own legal counsel review this DPA before signature if they have specific compliance requirements.