Data Processing Agreement

Preamble

This Data Processing Agreement (hereinafter "DPA") governs the rights and obligations of the parties in relation to the processing of personal data by Scramble Cloud UG (haftungsbeschränkt), Heinrich-Böll-Weg 25, 30629 Hannover, Germany, email: hello@lurus.ai (hereinafter "Processor" or "Lurus") on behalf of the customer (hereinafter "Controller" or "Customer").

The DPA is an integral part of the Terms and Conditions and takes effect upon use of the Lurus Services.

§ 1 Subject Matter and Duration of Processing

1.1 Subject Matter
The subject of this agreement is the rights and obligations of the parties in the context of the provision of services pursuant to the Terms and Conditions (hereinafter "Main Agreement"), insofar as processing of personal data by the Processor as a data processor for the Controller as the responsible party pursuant to Art. 28 GDPR takes place.

The processing serves the provision of the contractually agreed services as described at https://lurus.ai.

1.2 Duration
The duration of processing is determined by the term of the Main Agreement. It begins with the registration of the Controller and ends with the complete deletion of all personal data after termination of the Main Agreement.

§ 2 Type and Purpose of Processing

2.1 Type of Processing
The type of processing encompasses all processing activities within the meaning of Art. 4 No. 2 GDPR that are necessary for the fulfillment of the contract.

2.2 Purpose of Processing
The processing serves exclusively the provision of the contractually agreed services as described at https://lurus.ai.

§ 3 Types of Personal Data and Categories of Data Subjects

3.1 Categories of Personal Data
The types of personal data processed are determined by the Controller through the use of the Services. The scope of processed data includes all personal data that the Controller enters, uploads, generates or provides through activated third-party service integrations in the course of using the Services. This may include inventory and contact data, content data, usage data, communication data, and all other data resulting from the intended use of the Services.

The Processor has no knowledge of the specific content of the transmitted data and does not review it for legality. Responsibility for the permissibility of processing and compliance with data protection regulations with respect to the transmitted data lies exclusively with the Controller.

3.2 Categories of Data Subjects
The categories of data subjects are determined by the Controller through the use of the Services and include all natural persons whose personal data is processed in the course of using the Services.

3.3 Special Categories of Personal Data
The processing of special categories of personal data pursuant to Art. 9 GDPR is not the subject of this agreement. The transmission of such data to the Processor is prohibited unless a separate written agreement has been made between the parties that specifically governs the additional technical and organizational protective measures.

If the Controller violates this prohibition, they bear sole responsibility for all resulting consequences and shall indemnify the Processor against all third-party claims, regulatory measures and damages resulting from the unauthorized transmission.

§ 4 Responsibility and Instructions

4.1 Responsibility
The Controller is solely responsible within the scope of this agreement for compliance with the statutory provisions of data protection laws, in particular for the legality of data transfer to the Processor and for the legality of data processing ("Controller" within the meaning of Art. 4 No. 7 GDPR).

4.2 Binding Instructions
The Processor processes personal data exclusively on documented instructions from the Controller. The instructions are derived from this DPA and the Main Agreement. Instructions beyond this require text form and the consent of the Processor.

4.3 Instruction Violations
The Processor shall immediately inform the Controller if it believes that an instruction violates the GDPR or other data protection regulations. The Processor may suspend implementation of the instruction until it is confirmed or amended by the Controller.

4.4 Data Processing in the EU
The processing of personal data takes place in member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Processing in a third country is permissible provided the requirements of Art. 44 et seq. GDPR are met, in particular on the basis of an adequacy decision pursuant to Art. 45 GDPR, appropriate safeguards pursuant to Art. 46 GDPR, or another legally provided basis.

§ 5 Obligations of the Processor

5.1 Instruction-Bound Processing
The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law; in such a case, it shall inform the Controller of this requirement in advance, unless the law prohibits this.

5.2 Confidentiality
The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation of confidentiality shall continue after the termination of the contract.

5.3 Technical and Organizational Measures
The Processor shall implement the technical and organizational measures required pursuant to Art. 32 GDPR to protect personal data. The measure categories are described in Annex 1. The Processor is entitled to unilaterally adjust Annex 1, provided the measures continue to meet the requirements of Art. 32 GDPR.

5.4 Support for Data Subject Rights
The Processor shall assist the Controller, where possible, with appropriate technical and organizational measures in fulfilling the obligations to respond to requests for the exercise of data subject rights (Art. 12–22 GDPR). Requests from data subjects directed directly to the Processor shall be forwarded to the Controller promptly.

5.5 Support for Data Protection Obligations
The Processor shall assist the Controller in complying with the obligations referred to in Art. 32-36 GDPR.

5.6 Deletion and Return
Upon completion of processing, the Processor shall delete all personal data, unless there is an obligation to retain the data under Union or Member State law.

Deletion periods:

• Deletion within a reasonable period after termination of the Main Agreement
• Upon request of the Controller: return of data before deletion in a common, machine-readable format at a cost of EUR 150.00 (net) per commenced hour of required effort

§ 6 Obligations of the Controller

6.1 Legality
The Controller is responsible for the legality of data processing. They shall ensure that the transmission and processing of personal data in the course of using the Services is in accordance with applicable data protection regulations.

6.2 Instructions
The Controller shall issue instructions to the Processor in text form (email). They are responsible for documenting the instructions.

6.3 Notification of Errors
The Controller shall immediately inform the Processor if they detect errors or irregularities regarding data protection regulations when using the Services.

6.4 Contact Person
Upon request of the Processor, the Controller shall designate a contact person for data protection matters.

§ 7 Notification of Data Breaches

7.1 Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.

7.2 Content of Notification
The notification shall contain the information required pursuant to Art. 33(3) GDPR, insofar as this is known at the time of notification.

7.3 Support
The Processor shall assist the Controller in fulfilling their notification obligations to the supervisory authority (Art. 33 GDPR) and to data subjects (Art. 34 GDPR).

§ 8 Sub-Processors

8.1 General Authorization
The Controller grants the Processor general authorization to engage further processors (sub-processors) for the fulfillment of the contract.

8.2 List of Sub-Processors
The currently engaged sub-processors are listed in Annex 2 (List of Sub-Processors). The Controller agrees to their engagement.

8.3 Notification of Changes
The Processor shall inform the Controller of any intended change regarding the addition or replacement of sub-processors. The Controller has the opportunity to raise a data protection-related objection to these changes within 30 days of receipt of the information in text form. If the Controller does not object within this period or the objection is not data protection-related, consent to the change is deemed granted. The consequences of a justified objection are governed by § 8.4.

8.4 Consequences of an Objection
In the event of a data protection-related objection, the Processor shall:

• where possible, provide the service without the relevant sub-processor, or
• if this is not reasonable, discontinue the affected service. In this case, the Processor has a special right of termination.

§ 9 Audit Rights

9.1 Duty of Proof
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

9.2 Audits
If the Controller asserts legitimate doubts about compliance with this DPA based on actual evidence, they may request audits. The Processor may fulfill this audit obligation by presenting a current certificate (e.g., ISO 27001) or the results of an audit by an independent expert bound by confidentiality. If the Processor cannot present such evidence, the Controller is entitled to commission an independent expert bound by confidentiality at their own expense. An on-site inspection by the Controller or their employees is excluded.

The following conditions apply to audits by experts:

• Notice of at least 30 days in advance in text form
• The expert must be named to the Processor in advance and requires their consent, which may only be refused for good cause
• Conducted exclusively during normal business hours
• No excessive disruption of business operations
• Maximum one audit per calendar year, except in case of concrete justified suspicion of a serious violation
• The expert is bound by confidentiality obligations to both parties and may only communicate the audit result to the Controller, not confidential business or trade secrets of the Processor

§ 10 Liability and Damages

10.1 Liability under GDPR
Liability is governed by Art. 82 GDPR. Each party is liable for damages caused by processing that does not comply with this Regulation.

10.2 Liability Provisions of the Main Agreement
The liability provisions agreed in the Main Agreement (Terms and Conditions) also apply to claims arising from this agreement.

10.3 Indemnification
The Controller shall indemnify the Processor against all third-party claims, regulatory measures, fines and damages based on:

• the Controller having issued an unlawful or contractually non-compliant instruction,
• the Controller having transmitted or had processed personal data without a sufficient legal basis,
• the Controller having failed to fulfill their information obligations to data subjects pursuant to Art. 13, 14 GDPR,
• the Controller having violated the prohibition on transmitting special categories of personal data pursuant to § 3.3 of this DPA, or
• the Controller having violated their other data protection obligations in connection with the use of the Services.

§ 11 Term and Termination

11.1 Commencement
This agreement commences with the registration of the Controller with Lurus.

11.2 End
This agreement ends with the complete settlement of the Main Agreement, but no later than the complete deletion of all personal data.

11.3 Continuation
The obligations under this DPA, in particular the obligation of confidentiality and the obligation to delete, shall continue beyond the end of this agreement until all personal data has been deleted.

§ 12 Final Provisions

12.1 Written Form
Amendments and supplements to this DPA require text form (email is sufficient).

12.2 Priority
In case of contradictions between this DPA and the Main Agreement (Terms and Conditions), the provisions of this DPA shall take priority insofar as they concern the protection of personal data.

12.3 Severability Clause
Should individual provisions of this DPA be or become invalid, this shall not affect the validity of the remaining provisions.

12.4 Applicable Law
The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods.

12.5 Place of Jurisdiction
The exclusive place of jurisdiction for all disputes arising from or in connection with this DPA is Hannover, provided the Controller is a merchant, legal entity under public law, or a special fund under public law.

12.6 Amendments to the DPA
Amendments to this agreement that become necessary due to material legal or technical changes shall be communicated to the Controller by email. The amendments require the consent of the Controller. If the Controller does not object within 30 days, consent is deemed granted. In the event of an objection, the Processor has a special right of termination.

Annex 1: Technical and Organizational Measures (TOMs)

The Processor implements appropriate technical and organizational measures pursuant to Art. 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk. The measures include in particular:

• Access Control (Physical): Protection against unauthorized access to data processing equipment through appropriate physical and technical access controls.
• Access Control (System): Prevention of unauthorized use of data processing systems through appropriate authentication and authorization procedures.
• Access Control (Data): Ensuring that authorized persons can only access data within the scope of their authorization.
• Separation Control: Ensuring that data collected for different purposes is processed separately.
• Transfer Control: Protection of data during transmission and transport through appropriate encryption methods based on the current state of the art.
• Input Control: Ensuring traceability through authentication and authorization concepts that ensure only authorized users can enter, modify, or remove personal data.
• Availability Control: Protection of personal data against destruction or loss through appropriate backup and recovery procedures.
• Encryption: Encryption of stored and transmitted data based on the current state of the art.
• Pseudonymization: Where technically possible and proportionate to the processing purpose, personal data is processed in pseudonymized form to minimize the risk to data subjects (Art. 32(1)(a) GDPR).
• Regular Review: Procedures for regularly reviewing, assessing, and evaluating the effectiveness of measures pursuant to Art. 32(1)(d) GDPR.

Annex 2: List of Sub-Processors

As of: March 2026

Standard Sub-Processors