Link11 Self-Serve Data Processing Agreement (DPA)

Effective Date: June 28, 2025

This English version of the Link11 Self-Serve Data Processing Agreement (DPA) is provided for convenience only. The legally binding version of this Agreement is the original German version www.link11.com/dpa. In the event of any conflict or inconsistency, the German version shall prevail.

between
Customer (the “Controller”)
and
Link11 GmbH, Lindleystr. 12, 60314 Frankfurt am Main, Germany (the “Processor”)

This DPA forms an integral part of the Terms of Service (ToS) for Link11’s self-serve services and applies to any processing of personal data as soon as a customer orders or uses Link11’s self-serve offerings.

1. Definitions

The terms used in this DPA are defined in accordance with the EU General Data Protection Regulation (GDPR), in particular Article 4.

2. Subject Matter, Duration, Nature, and Purpose of Processing

2.1 Subject Matter

Processing of personal data on behalf of the customer in connection with the use of Link11’s self-serve services.

2.2 Duration

For the duration of the main contract and any applicable statutory retention periods.

2.3 Nature and Purpose

  • Provision of security, network, and performance services

  • Storage and analysis of network and access data

  • Support operations and contract management

  • Billing and service optimization

3. Categories of Data Subjects

  • Visitors of the customer’s websites and APIs

  • Customer’s employees and administrators

  • End users of the customer (depending on use case)

4. Categories of Personal Data

  • IP addresses, header information, user agents, cookies

  • Log data, access data, timestamps

  • Support content and email communication

  • User account data, payment identifiers

5. Obligations of the Customer (Controller)

The Customer ensures:

  • the lawfulness of processing

  • that data subjects have been properly informed

  • that all instructions are clear and provided in writing

6. Obligations of Link11 (Processor)

Link11 commits to:

  • processing data only on documented instructions from the Customer

  • binding its personnel to confidentiality

  • reporting data breaches without undue delay

  • deleting or returning all personal data after contract termination

  • processing data exclusively for the performance of the agreement

  • supporting the Customer in the fulfillment of data subject rights

7. Subprocessors

Link11 engages the following subprocessors:

Subprocessor: Google Ireland Ltd.
Location: Ireland/EU
Service Provided: Cloud & Monitoring Service
Data Transfer to Third Country: No
Safeguards:

Link11 may from time to time appoint new subprocessors or make changes to existing ones. Such changes will be announced on this page at least 30 days prior to taking effect. If the Customer objects to a change on justified data protection grounds within this notice period, and Link11 is no longer able to provide the Services as agreed, the affected service will automatically terminate on the effective date of the change.

8. International Data Transfers

Where personal data is transferred outside the EU/EEA, Link11 ensures an adequate level of protection by:

  • entering into EU Standard Contractual Clauses (SCCs)

  • implementing additional safeguards (e.g., encryption, access restrictions)

9. Technical and Organizational Measures (TOMs)

Link11 ensures an appropriate level of security. The following measures are implemented:

9.1 Access Control (Physical & Logical)

  • Physical access control in data centers (e.g., biometric, RFID)

  • VPN and MFA-secured administrator access

  • Role-based access controls (need-to-know principle)

  • Role and rights management for employees

9.2 Encryption & Transmission Protection

  • TLS 1.2/1.3 encryption for all external traffic

  • Data-at-rest encryption for sensitive components

  • DNSSEC, HTTP Strict Transport Security (HSTS)

9.3 Availability Control

  • Redundant systems with load balancing

  • Global PoP distribution for traffic balancing and DDoS mitigation

  • Regular geo-redundant backups

  • Disaster recovery and business continuity plans

9.4 Input Control & Logging

  • Centralized SIEM-based logging

  • Logging of access, changes, and support actions

  • Tamper-proof audit trails

9.5 Processor Control

  • Binding agreements with all subprocessors

  • Due diligence assessments for new vendors

  • Ongoing monitoring of technical and security standards

9.6 Privacy by Default & Minimization

  • Data minimization in logging processes

  • Anonymization and pseudonymization where applicable

  • Disabling unnecessary tracking mechanisms

9.7 Training & Awareness

  • Regular data protection and IT security training for all employees

  • Awareness programs for social engineering and phishing threats

10. Assistance with Data Subject Rights

Link11 supports the Customer with:

  • access, deletion, restriction, and objection requests

  • data portability

  • communication with supervisory authorities

11. Audit Rights

Customers may audit Link11’s compliance with this DPA:

  • maximum once per year, with 4 weeks’ advance notice

  • through on-site visits or questionnaire-based reviews

  • at the Customer’s expense unless a data protection breach is found

12. Deletion or Return of Data

Upon termination of the contract:

  • all personal data will be deleted or returned to the Customer

  • log and protocol data will be deleted within 90 days unless statutory retention applies

13. Liability

Liability is governed by the main agreement. Additional liability, in particular for gross negligence or intent, remains unaffected.

14. Final Provisions

  • German law applies

  • Place of jurisdiction is Frankfurt am Main

  • Amendments require written form

  • In the event of conflict, this DPA shall prevail over the ToS in matters of data protection

X