Data Processing Agreement
Last updated: May 2026
This Data Processing Agreement describes how Anliego processes personal data on behalf of its customers in accordance with Article 28 of the GDPR.
[bracketed] placeholder with your real details before launch.1. Roles of the parties
This Data Processing Agreement (the DPA) forms part of, and is governed by, the agreement under which Anliego provides its services to the customer (the Agreement). In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of personal data.
For the purposes of this DPA, the customer acts as the controller (or, where the customer is itself acting on behalf of a third party, as a processor), and Anliego, operated by Luis Riedhammer, acts as the processor (or sub-processor, as applicable). Anliego processes personal data on behalf of, and under the documented instructions of, the customer.
Capitalised terms not defined in this DPA have the meaning given to them in the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and, where applicable, in the Agreement.
2. Subject matter of the processing
The subject matter of the processing is the provision of the Anliego platform, which helps the customer collect, manage, and respond to customer reviews and run review-request campaigns. To deliver these services, Anliego processes the customer's business and review data and the contact details of the customer's own end-customers.
Anliego processes personal data only to the extent necessary to provide, maintain, secure, and support the services described in the Agreement, and as further instructed by the customer through its use of the platform and its account configuration.
3. Nature and purpose of the processing
- Hosting and storing review content, business information, and end-customer contact records.
- Sending review-request and follow-up messages by email and/or SMS on the customer's behalf.
- Aggregating, displaying, and analysing reviews, ratings, and campaign performance for the customer.
- Providing account management, authentication, support, troubleshooting, and security monitoring.
- Performing backups, maintenance, and other technical operations necessary to run the service.
4. Duration of the processing
Anliego processes personal data for the duration of the Agreement, until the customer's account is terminated or closed, plus any additional period required to complete return or deletion of the data in accordance with Section 14, or as otherwise required by applicable law.
5. Categories of personal data
The personal data processed under this DPA relates primarily to the customer's end-customers, reviewers, and the customer's own authorised users. Depending on how the customer uses the platform, the categories of personal data may include:
- Identification and contact data: names, email addresses, and phone numbers of end-customers and reviewers.
- Review and feedback data: review content, ratings, replies, and related metadata submitted by or about end-customers.
- Campaign data: send status, delivery and engagement events, opt-out and suppression records.
- Account user data: names, business email addresses, and login credentials of the customer's authorised users.
- Technical data: IP addresses, device or browser information, and usage logs generated in connection with the service.
- The customer must not use the platform to process special categories of personal data (Article 9 GDPR) unless expressly agreed in writing, and remains solely responsible for the personal data it submits.
6. Categories of data subjects
- The customer's end-customers and clients who are invited to leave, or who leave, a review.
- Reviewers and other individuals whose feedback is collected or displayed through the platform.
- The customer's authorised employees, contractors, and other users of the account.
7. Processor obligations
Anliego shall process personal data only on documented instructions from the customer, including with regard to international transfers, unless required to do otherwise by applicable law; in such a case, Anliego shall inform the customer of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.
The Agreement, this DPA, and the customer's use and configuration of the platform constitute the customer's complete and documented instructions. If Anliego believes an instruction infringes applicable data protection law, it shall inform the customer without undue delay.
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement and maintain appropriate technical and organisational measures as set out in Section 8.
- Respect the conditions for engaging sub-processors set out in Section 9.
- Assist the customer as described in Sections 11, 12, and 13.
- Make available the information necessary to demonstrate compliance with Article 28 GDPR, subject to Section 13.
8. Security measures (technical and organisational measures)
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of natural persons, Anliego implements appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk.
A current summary of these measures is maintained on the Anliego Security page and is incorporated into this DPA by reference as Annex C. Anliego may update its measures over time, provided that the updated measures do not materially reduce the overall level of security.
- Encryption of personal data in transit and, where appropriate, at rest.
- Access controls, role-based permissions, and authentication for systems handling personal data.
- Network protection, monitoring, and logging designed to detect and respond to security events.
- Regular backups and measures to support restoration of availability and access after an incident.
- Organisational measures including staff confidentiality commitments, access on a need-to-know basis, and secure software development practices.
9. Sub-processors
The customer provides a general authorisation for Anliego to engage sub-processors to assist in providing the services. Anliego shall impose data protection obligations on each sub-processor that are no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Anliego remains fully liable to the customer for the performance of each sub-processor's obligations.
Anliego shall maintain a list of sub-processors (summarised in Annex B) and shall inform the customer of any intended addition or replacement of a sub-processor, giving the customer the opportunity to object on reasonable, data-protection-related grounds within the notice period communicated. If the customer objects and the parties cannot resolve the objection, the customer may terminate the affected services as its sole remedy.
- Cloud hosting and infrastructure providers.
- Managed database and storage providers.
- Payment processing providers (for billing the customer).
- Email and SMS delivery providers (for sending review-request and notification messages).
- Operational tooling such as error monitoring, analytics, and customer support providers.
10. International data transfers
Anliego and its sub-processors may process personal data in the European Economic Area, the United States, and other jurisdictions. Where personal data originating in the EEA, the United Kingdom, or Switzerland is transferred to a country that does not provide an adequate level of protection, the transfer shall be governed by an appropriate safeguard under applicable law.
Such safeguards include the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum or Swiss addendum, where applicable), supplemented by additional measures where necessary. The Standard Contractual Clauses are incorporated into this DPA by reference where they apply, and the parties agree to complete and observe their terms.
11. Assistance with data-subject requests
Taking into account the nature of the processing, Anliego shall assist the customer by appropriate technical and organisational measures, insofar as this is possible, to respond to requests from data subjects exercising their rights under Chapter III GDPR, including rights of access, rectification, erasure, restriction, data portability, and objection.
Where Anliego receives a request directly from a data subject relating to the customer's data, it shall, unless legally prohibited, promptly inform the customer and shall not respond to the request itself except on the customer's documented instructions or as required by law.
12. Assistance with breach notification and DPIAs
Taking into account the nature of the processing and the information available to it, Anliego shall provide reasonable assistance to the customer in ensuring compliance with its obligations under Articles 32 to 36 GDPR, including the security of processing, the notification of personal data breaches to the supervisory authority and affected data subjects, and the carrying out of data protection impact assessments and any prior consultation with a supervisory authority.
13. Personal data breach notification
Anliego shall notify the customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting personal data processed under this DPA.
Such notification shall describe, to the extent known and reasonably available, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. Anliego shall provide further information as it becomes available and shall cooperate with the customer to investigate and remediate the breach. Notification is not an acknowledgement of fault or liability.
14. Audits and information rights
Anliego shall make available to the customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the customer or an auditor mandated by the customer.
To minimise disruption and protect the confidentiality and security of Anliego's systems and other customers' data, audits shall, where available, be satisfied by providing relevant documentation, security summaries, or third-party reports. On-site or detailed audits shall be limited in scope, conducted during business hours on reasonable prior written notice, no more than once per year (except following a confirmed breach or where required by a supervisory authority), and subject to confidentiality obligations, with the customer bearing its own and any reasonable third-party audit costs.
15. Return or deletion of data on termination
On termination or expiry of the Agreement, and at the choice of the customer, Anliego shall delete or return all personal data processed on the customer's behalf and delete existing copies, unless storage is required by applicable law.
Following a reasonable wind-down and export period communicated to the customer, Anliego shall delete the customer's personal data from its active systems and procure deletion by its sub-processors. Residual copies held in routine backups shall be deleted in accordance with Anliego's backup retention cycle and shall remain protected by the measures described in this DPA until deleted.
16. Liability and order of precedence
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement, and any reference in the Agreement to a party's liability means the aggregate liability of that party under the Agreement and this DPA together.
This DPA does not limit any rights or remedies available to a data subject under applicable data protection law. In the event of any conflict, the order of precedence is: (1) the Standard Contractual Clauses (where they apply), (2) this DPA, and (3) the remainder of the Agreement.
17. Governing law and jurisdiction
This DPA is governed by, and construed in accordance with, the laws of [Jurisdiction], and the parties submit to the exclusive jurisdiction of the courts of [Jurisdiction], without prejudice to any mandatory data-subject rights or supervisory-authority competence under applicable data protection law. Where the Standard Contractual Clauses apply, their governing-law and forum provisions prevail to the extent required.
18. Execution and requesting a signed copy
By accepting the Agreement or using the services, the customer agrees to this DPA on behalf of itself and, where applicable, its affiliates whose personal data is processed through the account. This DPA is effective for as long as Anliego processes personal data on the customer's behalf.
Customers who require a countersigned copy of this DPA, or a version executed on their own paper, can request one by emailing privacy@anliego.de with their account and company details. Anliego, operated by Luis Riedhammer, Föhrenweg 2, 58638 Iserlohn, will arrange execution of a signed copy.
Annexes (summary)
- Annex A — Subject matter and details of processing: the categories of data, data subjects, nature, purpose, and duration of the processing are as described in Sections 2 to 6 of this DPA.
- Annex B — Sub-processors: the categories of authorised sub-processors are listed in Section 9 (hosting, database/storage, payments, email/SMS, and operational tooling); the current sub-processor list is maintained by Anliego and made available on request to privacy@anliego.de.
- Annex C — Security measures: the technical and organisational measures are summarised in Section 8 and detailed on the Anliego Security page, which is incorporated into this DPA by reference.