Data Processing Addendum
Note: The German version of this document is the legally binding version. This English text is provided for convenience only.
Last updated: May 14, 2026
Version: 2026-05-14
1. Scope
This Data Processing Addendum applies where a customer organization enters, imports, or otherwise processes personal data of third parties in Ride Assignment and Pablo Thiermann processes that workspace content as a processor on behalf of the customer organization.
The customer organization is the controller within the meaning of the GDPR for that workspace content. Pablo Thiermann processes the workspace content as processor under Article 28 GDPR. In case of conflict between this Data Processing Addendum and the Terms of Service, this Data Processing Addendum prevails.
2. Subject Matter, Duration, Nature, and Purpose
The subject matter of processing is the provision of Ride Assignment as a software service for organizing group transportation, coordinating drivers and passengers, route planning, assignment generation, imports, exports, and supporting communication.
Processing takes place for the duration of the customer organization's use of Ride Assignment. After the end of use, workspace content is deleted or anonymized in accordance with product functionality, documented instructions, and legal requirements unless legal retention duties, legitimate transition interests, or documentation duties require retention.
The nature and purpose of processing include hosting, storage, display, validation, import, export, address search, geocoding, routing, optimization, map display, creation of route and operational plans, support, service security, troubleshooting, and technical maintenance.
3. Data Categories and Data Subjects
The following categories of data may be processed:
- organization, project, and event data;
- driver, passenger, participant, and contact data;
- addresses, coordinates, pickup points, routes, route stops, availability times, and assignments;
- import, export, PDF, ZIP, and JSON data;
- communication data where the customer organization uses email or export features;
- technical log, security, usage, and audit data where required for operation, security, and traceability;
- special categories of personal data where the customer organization enters such data, in particular health, disability, accessibility, or special transportation need information.
Data subjects may include drivers, passengers, event participants, employees, club members, volunteers, guardians, contact persons, and other persons recorded by the customer organization in Ride Assignment. Data relating to minors or other vulnerable persons may be processed only where the customer organization ensures an appropriate legal basis and safeguards.
4. Instructions
Pablo Thiermann processes workspace content only on documented instructions of the customer organization unless legally required to process it otherwise. Instructions arise in particular from the Terms of Service, this Data Processing Addendum, product use, customer organization settings, support requests, and other documented directions.
If Pablo Thiermann believes an instruction violates data protection law, Pablo Thiermann may suspend execution and inform the customer organization.
5. Confidentiality and Access
Pablo Thiermann ensures that persons with access to workspace content are subject to confidentiality obligations or appropriate statutory confidentiality duties.
Access to workspace content is limited to persons who need access for operation, security, maintenance, support, or troubleshooting. Support and operational access may take place only to the extent required.
6. Technical and Organizational Measures
Pablo Thiermann implements appropriate technical and organizational measures to protect workspace content against unauthorized access, alteration, loss, misuse, or disclosure.
These measures include in particular:
- transport encryption;
- authenticated access controls;
- organization-scoped permissions;
- row-level restrictions in the database;
- access restrictions for operational and support access;
- audit logging and security logging;
- separation of development, test, and production environments according to the technical architecture;
- limitation of optional analytics and preference storage to consent-based categories;
- avoidance of personal workspace content for analytics, training, or product-improvement purposes except in anonymized or aggregated form.
The measures are reviewed and adjusted where needed, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, and the risks to data subjects.
7. Subprocessors
The customer organization gives Pablo Thiermann general authorization to use subprocessors where required for hosting, authentication, database services, billing, maps, geocoding, routing, email, analytics, security, support, or infrastructure services.
Pablo Thiermann contractually binds subprocessors to appropriate data protection obligations. The current subprocessor list is made publicly available. Intended additions or replacements of subprocessors are communicated to the customer organization through the website, application, email, or another suitable channel. The customer organization may object on legitimate data-protection grounds within the period stated in the notice. If a legitimate objection is raised, the parties will work toward a reasonable solution; where no reasonable solution is available, the affected processing may be terminated.
Where workspace content is processed outside the EU or EEA, this is done only on the basis of an adequacy decision, appropriate safeguards such as Standard Contractual Clauses, or another permitted transfer mechanism under Chapter V GDPR.
8. Assistance
Pablo Thiermann assists the customer organization to a reasonable extent with data subject rights, security requirements, personal data breach notifications, data protection impact assessments, and consultations with supervisory authorities, where the assistance relates to processing in Ride Assignment and the customer organization cannot reasonably obtain the relevant information through the application.
Pablo Thiermann informs the customer organization without undue delay if Pablo Thiermann becomes aware of a personal data breach affecting workspace content.
9. Deletion and Return
After the end of use, Pablo Thiermann deletes or returns, at the choice of the customer organization, all personal workspace content and deletes existing copies unless statutory retention duties or mandatory evidence obligations require continued retention. Where technically available, the customer organization may export data through the product functionality before deletion. In the absence of a different documented instruction, deletion follows the product functionality, documented deletion periods, and legal requirements.
Billing, security, consent, audit, and legal records may be retained with minimized identifiers where required. Technical backups may persist until they are overwritten in the ordinary backup cycle.
10. Documentation and Audits
On request, Pablo Thiermann provides the customer organization with information required to demonstrate compliance with this Data Processing Addendum, where that information is not already available through documentation, legal texts, the application, or security information. Pablo Thiermann enables and contributes to audits, including inspections, to the extent required under Article 28 GDPR.
Audits must be announced in advance, limited to the required scope, and carried out in a way that does not compromise security, confidentiality, operational stability, or the rights of other customers. Pablo Thiermann may provide appropriate documentation, information, or independent security materials as the primary audit method.
11. Customer Organization Duties
The customer organization remains responsible for having an appropriate legal basis for processing workspace content, informing data subjects, processing only required data, limiting access, minimizing sensitive data, and defining deletion periods for the specific use case.
The customer organization must in particular assess whether special categories of personal data, data relating to minors, or processing likely to result in high risk trigger additional requirements, such as a data protection impact assessment or special consent, transparency, or safeguarding duties.