Effective Date: May 26, 2026
This Data Processing Agreement (“DPA”) forms part of the Agreement (as defined below) between dltHub and the Subscriber (“Controller”) for the provision of the dltHub data pipeline platform and related services. By subscribing to or using the dltHub Service, the Controller accepts the terms of this DPA. In the event of any conflict between this DPA and the Agreement regarding the processing of personal data, this DPA shall take precedence.
Processor:
ScaleVector GmbH and its affiliates (doing business as "dltHub")
Rosenthaler Str. 36, Berlin 10178, Germany
hello@dlthub.com
Controller ("Subscriber"):
The entity that has entered into the Agreement with dltHub, as identified in the applicable Order Form or subscription registration.
Together referred to as the "Parties."
In this DPA, the following terms have the meaning assigned to them in the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"): "personal data", "data subject", "processing", "controller", "processor", "supervisory authority", "personal data breach".
"Controller" means the Subscriber as defined in the Agreement (i.e., the entity that has entered into the Agreement with dltHub and determines the purposes and means of processing of Subscriber Personal Data).
"Subscriber Personal Data" means any personal data (as defined under applicable data protection law, including the GDPR) that is contained within, or forms part of, the Subscriber Data (as defined in the Agreement) and that the Processor processes on behalf of the Controller in connection with the provision of the dltHub Service.
"Agreement" means the dltHub Terms of Use (https://dlthub.com/terms) and any applicable Supplemental Terms entered into between dltHub and the Subscriber, and any other agreement between dltHub and the Subscriber into which this DPA is incorporated.
2.1 The Processor provides a cloud-based data pipeline service (including the open-source “dlt” library and the dltHub Pro managed platform) that enables the Controller to extract, load, and transform data across systems through the dltHub Service.
2.2 In the course of providing the dltHub Service, the Processor may process personal data on behalf of the Controller. The specific categories of personal data, categories of data subjects, and the nature and purpose of processing are set out in Annex 1.
2.3 The Processor shall process personal data solely for the purposes set out in Annex 1 and only to the extent necessary to provide the dltHub Service to the Controller.
3.1 Instructions. The Processor shall process personal data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by Union or Member State law. In such a case, the Processor shall inform the Controller before processing, unless prohibited by law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection provisions.
3.2 Confidentiality. The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security. The Processor shall implement and maintain appropriate technical and organisational measures in accordance with Article 32 GDPR. See Annex 2 for the applicable measures.
3.4 Sub-processors. The Controller grants the Processor general written authorisation to engage sub-processors. The Processor shall maintain an up-to-date list of sub-processors engaged in the provision of the Service and shall make such list available to the Controller upon written request. The Processor shall provide at least 14 days’ prior written notice of any intended changes. If the Controller reasonably objects, the Parties shall work in good faith to resolve the issue. If unresolved within 30 days, either Party may terminate the Agreement.
3.5 Data Subject Rights. The Processor shall assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to data subject rights requests under Chapter III GDPR.
3.6 Compliance Assistance. The Processor shall assist the Controller in ensuring compliance with obligations under Articles 32-36 GDPR, taking into account the nature of processing and information available.
3.7 Deletion or Return. At the Controller’s choice, the Processor shall delete or return all Subscriber Personal Data after the end of the provision of the dltHub Service, and shall delete existing copies, unless Union or Member State law requires storage.
3.8 Audit Rights. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and allow for audits or inspections conducted on the Controller’s behalf by an independent and acknowledged data protection auditor subject to duty of secrecy who enters into a non-disclosure agreement with the Processor on terms reasonably acceptable to the Processor. Prior to conducting any audit or inspection, Controller shall give the Processor reasonable notice (which shall in no event be less than fourteen (14) days’ notice) and submit a detailed audit plan to the Processor describing the proposed scope, duration, and start date of the audit. The Processor will review the proposed audit plan and provide the Controller with any feedback, concerns, or questions (for example, any request for information that could compromise the Processor’s security, privacy, employment, or other relevant policies). The Processor will work cooperatively with the Controller to agree on a final audit plan. Any audit or inspection shall be conducted during normal business hours only and not unreasonably interfere with the Processor’s business operations. The Controller shall not exercise its audit rights under this clause more than once in any calendar year, except to the extent that any additional audit is expressly required under the GDPR or by a competent supervisory authority. Nothing in this Clause 3.8 shall be construed to obligate the Processor to breach any duty of confidentiality.
3.9 Records. The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller as required by Article 30(2) GDPR.
4.1 The Controller is responsible for the lawfulness of processing personal data prior to and after transmission to the Processor.
4.2 The Controller shall ensure it has a valid legal basis for each processing activity it instructs the Processor to carry out, including obtaining any necessary consents from data subjects.
4.3 The Controller shall provide the Processor with all information and assistance reasonably required to comply with applicable data protection law.
5.1 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Subscriber Personal Data.
5.2 The notification shall include, to the extent available to the Processor:
5.3 Where information cannot be provided simultaneously, it may be provided in phases without undue further delay.
6.1 Where processing of Subscriber Personal Data subject to the GDPR involves a transfer of personal data outside the EEA, the Processor shall ensure such transfer is subject to an appropriate safeguard under Chapter V GDPR, including Standard Contractual Clauses adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“SCCs”).
6.2 To the extent there is a Restricted Transfer from Processor (as a data exporter) to Controller (as a data importer) under the Agreement, the Parties hereby enter into Module Four of the SCCs, pursuant to clause 6.1 above, in accordance with the following: (i) each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs; (ii) Clause 7 of the SCCs (the ‘Docking Clause’) is not used; (iii) in Clause 11 of the SCCs, the optional language is not used; (iv) in Clause 17 of the SCCs, the Parties agree that the SCCs shall be governed by the law of Germany; (v) in Clause 18 of the SCCs, the Parties agree that any dispute arising from the SCCs shall be resolved by the courts of Berlin, Germany; and (vi) Annex I of the SCCs is populated with the corresponding information as identified in Annex 1 of this DPA and in the applicable Order Form or subscription registration.
7.1 This DPA is effective from the date the Controller enters into the Agreement and shall remain in force for as long as the Processor processes personal data on behalf of the Controller under the Agreement.
7.2 Upon expiry or termination of the Agreement, the Controller shall have 30 days to export any Subscriber Personal Data stored on the dltHub Service. Following that 30-day period, the Processor shall, at the Controller's election, either:
unless applicable law requires retention. This clause is consistent with, and subject to, the data export and deletion provisions set out in the Agreement.
8.1 Each Party shall be liable for damages caused by processing that infringes GDPR in accordance with Article 82 GDPR and the liability provisions of the Agreement. As between the Parties, any such liability shall be subject to the limitations and caps set out in the Agreement (including the aggregate liability cap based on fees paid in the preceding 12 months), to the maximum extent permitted by applicable law. For the avoidance of doubt, nothing in this DPA limits either Party's liability to data subjects or supervisory authorities under Article 82 GDPR or applicable law.
8.2 The Processor shall be exempt from liability if it proves it is not in any way responsible for the event giving rise to the damage.
9.1 This DPA is governed by the laws of the Federal Republic of Germany, without regard to conflict of law provisions.
9.2 Any disputes shall be subject to the exclusive jurisdiction of the courts of Berlin, Germany.
10.1 Should any provision of this DPA be invalid, the remaining provisions shall remain in full force. The invalid provision shall be replaced by one that best reflects the Parties' intentions.
10.2 This DPA constitutes the entire agreement between the Parties regarding the processing of personal data by the Processor on behalf of the Controller and supersedes all prior agreements on the same subject matter.
10.3 Each Party shall act in good faith to agree variations to this DPA that are reasonably necessary to address the requirements of the GDPR and any other applicable data protection laws from time to time. Without limiting the foregoing, Processor may on notice vary this DPA and replace the relevant SCCs so as to enable the lawful transfer of Subscriber Personal Data by Processor to Controller under this DPA in compliance with the GDPR.
Processor: ScaleVector GmbH and its affiliates (doing business as "dltHub"), 36 Rosenthaler Str., Berlin 10178, Germany
The Processor provides the dltHub data pipeline platform, enabling the Controller to build, deploy, and manage data extraction and loading pipelines. Processing continues for the duration of the Agreement.
Depending on the data sources configured by the Controller, processing may involve:
Note: The Controller is responsible for determining which personal data is transmitted through the dltHub Service.
The Parties do not anticipate the processing of special categories of personal data under Article 9 GDPR. Should the Controller intend to process such data, this must be agreed in writing in advance.
Personal data contained in pipeline runs is retained for the period configured by the Controller, subject to a default maximum retention of 90 days for pipeline logs, unless otherwise agreed.
The Controller hereby grants the Processor general written authorisation to engage sub-processors to process Subscriber Personal Data on its behalf, subject to the following conditions:
(d) if the Controller reasonably objects to a proposed sub-processor within fourteen (14) days of notification, the Parties shall work together in good faith to resolve the objection within thirty (30) days. If unresolved, either Party may terminate the Main Agreement on written notice without further liability, save for fees accrued up to the date of termination.
