Data Processing Agreement (DPA)

This agreement specifies the data-protection obligations between the customer ("controller" within the meaning of Art. 4(7) GDPR) and RealPilot SL ("processor" within the meaning of Art. 4(8) GDPR) when using the RealPilot platform. It supplements the GTC and becomes effective upon registration.

1. Subject Matter and Duration

This agreement governs the processing of personal data by the processor on behalf of the controller, insofar as the controller collects, stores or processes such data via the RealPilot platform. The agreement runs as long as the main contract (GTC) between the parties exists.

2. Nature and Purpose of Processing

The processor provides a SaaS platform enabling the controller to: manage their own property listings; manage their own client profiles; search for cooperation partners (Community Hub); execute broker cooperations including dual-representation protection (Kundenschutz); chat with cooperation partners; receive transactional notifications. Processing is limited to delivering these functions.

3. Types of Personal Data

The following data types are processed: • Data of the controller's employees (name, business contact data, login data, language, role) • Data of the controller's end customers (search/sale profiles incl. internal display name; optional contact data; cryptographic hashes of name, email, phone for dual-representation protection) • Property data (address, price, description, images) • Cooperation data (status, chat history, audit log) • Technical data (IP address, user-agent, access timestamps)

4. Categories of Data Subjects

Employees of the controller; end customers of the controller (buyers, sellers, tenants, landlords); cooperating brokers and their end customers, to the extent data is exchanged within a cooperation.

5. Obligations of the Processor

The processor undertakes to: • process data only on the documented instructions of the controller • ensure confidentiality through employee undertakings • maintain the technical and organisational measures (TOMs) listed in Art. 32 GDPR • support the controller in handling data subject rights (Art. 15–22 GDPR) • support the controller in DPIAs (Art. 35 GDPR) and prior consultations (Art. 36) • inform the controller without undue delay, no later than 24 hours, of any personal-data breach • delete or return all data at the controller's option upon termination, subject to statutory retention duties • provide all information necessary for compliance with Art. 28 GDPR and allow audits

6. Sub-Processors

The controller consents to the engagement of the sub-processors listed in our Sub-Processor List. When adding new or replacing existing sub-processors, the processor informs the controller at least 30 days in advance by email. The controller may object within that period. The processor ensures each sub-processor adheres to the same data-protection obligations set out in this agreement.

7. Third-Country Transfers

Transfers to third countries take place only if the requirements of Art. 44 et seq. GDPR are met. For transfers to the USA, we rely on the EU Standard Contractual Clauses (Decision 2021/914) and on providers' certification under the EU-US Data Privacy Framework (Adequacy Decision of 10 July 2023). Platform data in the Supabase database is physically stored in Frankfurt (eu-central-1).

8. Technical and Organisational Measures

The processor maintains the following TOMs pursuant to Art. 32 GDPR: TLS 1.2+ on all connections; Row Level Security (RLS) for tenant-isolated database access; bcrypt hashing for passwords; cryptographic hashes for sensitive identifiers; daily encrypted backups (7-day retention); audit log for security-critical actions; two-factor authentication for administrative access; regular security reviews. Full TOM documentation is provided upon request.

9. Data Breach Notification

In the event of a personal-data breach, the processor informs the controller without undue delay, no later than 24 hours after becoming aware. The notification includes at least: nature of the breach, categories and approximate number of affected persons, likely consequences, measures already taken or planned.

10. Liability

Art. 82 GDPR applies. Externally, both parties are jointly and severally liable to the data subject. Internally, each party bears liability proportionate to their share of responsibility. The liability limitations agreed in the main contract (GTC) do not apply to claims arising from this agreement.

11. Termination and Data Deletion

Upon termination of the main contract, the processor — at the controller's option — deletes or returns all data processed on their behalf. Retention beyond that occurs only if statutory retention obligations require it. In that case access is restricted such that only the retention purpose can be pursued.