Parties
Data Processor (Provider):
| Field | Value |
|---|---|
| Company | Sellfaster GbR |
| Managing Partners | Moritz Carl Stößlein, Alexander Wiener, Manuel Frederic Zerpies |
| Address | Sudetendeutschestraße 11, 90480 Nürnberg |
| team@sellfaster.eu | |
| Website | sellfaster.eu |
Data Controller (Customer):
| Field | Value |
|---|---|
| Company | [Customer Company Name] |
| Represented by | [Managing Director / Authorised Person] |
| Address | [Street, Postcode City] |
| [contact@customercompany.com] |
Preamble
The Controller uses the Sellfaster software platform (hereinafter "Platform") to support its sales processes, in particular for capturing and managing leads, contact data and interactions in the context of door-to-door and field sales.
In the course of using the Platform, Sellfaster GbR processes personal data as a data processor pursuant to Art. 28 GDPR on behalf of and in accordance with the instructions of the Controller, who acts as the data controller within the meaning of Art. 4 No. 7 GDPR.
This Agreement governs the rights and obligations of both parties with regard to the processing of personal data and forms the basis for compliant use of the Platform.
| Data Controller | Data Processor | |
|---|---|---|
| Party | [Customer Company] | Sellfaster GbR |
| Role | Determines the purposes and means of processing. Bears data protection responsibility towards data subjects. | Processes data solely on the instructions of the Controller. Provides the technical platform and ensures data security. |
| Legal basis | Art. 4 No. 7 GDPR | Art. 4 No. 8 GDPR |
Section 1 – Subject Matter and Duration
1.1 Subject Matter
The subject matter of the data processing is the operation and provision of the Sellfaster platform, which enables the Controller to coordinate sales representatives, capture potential customers (leads) and document interactions.
1.2 Duration
Processing takes place for the duration of the service agreement between the parties. Upon termination, personal data will be deleted or returned in accordance with Section 7 of this Agreement.
Section 2 – Nature and Purpose of Processing
2.1 Purpose
Personal data is processed solely for the purpose of providing the contractually agreed services, in particular:
- Capturing and managing lead data (potential customers)
- Documenting sales interactions and contact attempts
- Assigning sales territories and representatives
- Reporting and performance tracking for the Controller
- Enabling follow-up workflows
2.2 Nature of Processing
Processing includes in particular: collection, storage, organisation, retrieval, use, transmission, restriction, erasure and destruction of personal data.
Section 3 – Categories of Personal Data
| Category | Examples |
|---|---|
| Master data (Leads) | Name, address, phone number, email address |
| Interaction data | Date/time of contact, outcome (interested, not interested, no contact), notes |
| Location data | GPS coordinates at point of contact capture (if enabled) |
| Employee data | Name, email, role of the Controller's sales representatives |
| Usage data | Login times, app activity for system administration |
Special categories of personal data pursuant to Art. 9 GDPR are not processed via the Platform as a matter of principle. Should the Controller input such data, responsibility lies solely with the Controller.
Section 4 – Categories of Data Subjects
The following categories of persons are affected by the data processing:
- Potential customers of the Controller (leads) who have been or are to be contacted in the course of sales activities
- Sales representatives and other users of the Controller who actively use the Platform
Section 5 – Obligations of the Processor (Sellfaster GbR)
5.1 Processing on Instructions
Sellfaster GbR processes personal data solely on documented instructions from the Controller, unless required to do so by applicable law. In such cases, Sellfaster GbR will inform the Controller prior to processing, to the extent permitted by law.
5.2 Confidentiality
Sellfaster GbR ensures that all persons authorised to process personal data are subject to appropriate confidentiality obligations or statutory duties of secrecy.
5.3 Technical and Organisational Measures (TOMs)
Sellfaster GbR implements appropriate technical and organisational measures in accordance with Art. 32 GDPR. The current TOMs are set out in Annex 1 to this Agreement.
5.4 Sub-processors
Sellfaster GbR is authorised to engage sub-processors. A list of current sub-processors is set out in Annex 2. The Controller will be notified of any changes or additions to sub-processors and retains the right to object.
5.5 Assistance with Data Subject Rights
Sellfaster GbR assists the Controller in fulfilling data subject rights (Art. 15–22 GDPR) to the extent technically feasible, in particular by providing data export functions and access management capabilities.
5.6 Personal Data Breach Notification
Sellfaster GbR will notify the Controller of any personal data breach without undue delay, and no later than 48 hours after becoming aware of it, by email to the registered contact address.
5.7 Assistance with Data Protection Impact Assessments
Sellfaster GbR will assist the Controller in carrying out data protection impact assessments pursuant to Art. 35 GDPR, insofar as they relate to processing carried out by Sellfaster GbR.
Section 6 – Obligations of the Controller
The Controller, as the data controller within the meaning of the GDPR, is responsible for the lawful collection of personal data. This includes in particular:
- Ensuring a legal basis for each processing activity (e.g. consent, legitimate interest)
- Fulfilling information obligations towards data subjects pursuant to Art. 13/14 GDPR
- Ensuring that sales representatives do not capture data without an appropriate legal basis
- Regularly reviewing and updating instructions to Sellfaster GbR
- Reporting personal data breaches to the competent supervisory authority within 72 hours
Section 7 – Erasure and Return of Data
7.1 Automatic Erasure
The Platform features automated erasure routines for interaction data and states. By default, interaction data is automatically deleted after [X] days, unless the Controller has configured a different retention period.
Configured retention periods are visible in the Controller's account management and can be adjusted within the available technical options.
7.2 Erasure upon Termination
Upon termination of the service agreement, all personal data of the Controller will be deleted within 30 days, unless a statutory retention obligation applies. Upon request, Sellfaster GbR will provide a data export prior to deletion.
7.3 Confirmation
Sellfaster GbR will confirm the complete erasure of data in writing upon request by the Controller.
Section 8 – Technical and Organisational Measures (Annex 1)
| Measure | Implementation |
|---|---|
| Encryption | Transport and data encryption (TLS/HTTPS), encryption of sensitive database fields |
| Access control | Role-based permission system, individual user accounts, no shared logins |
| Data minimisation | Processing of necessary data only, configurable mandatory fields |
| Automatic erasure | Automated erasure routines for interaction data after configurable retention periods |
| Backups | Regular encrypted data backups |
| Database hardening | Optimised database parameters, access only via authenticated services |
| Audit log | Logging of security-relevant changes (who changed what and when) |
| Software development | Security testing at releases, production access for developers only when necessary |
Section 9 – Sub-processors (Annex 2)
| Provider | Service | Location / Legal Basis |
|---|---|---|
| Hetzner Online GmbH | Website hosting, server infrastructure, database hosting | Germany – no third-country transfer |
| Cloudflare, Inc. | CDN, DDoS protection & DNS | USA – EU-US Data Privacy Framework |
| Google LLC | User account registration & authentication (OAuth 2.0) | USA – EU-US Data Privacy Framework |
| New Relic, Inc. | Website performance monitoring | USA – EU-US Data Privacy Framework |
| PostHog Inc. | Web & mobile analytics | USA – EU-US Data Privacy Framework |
| Lemon Squeezy, LLC | Invoicing & billing | USA – Standard Contractual Clauses |
| Mistral AI SAS | AI platforms | France / EU – no third-country transfer |
| Plus Five Five, Inc | Communicate & chat with users (in-app support) | USA – Standard Contractual Clauses |
| Termly.io | Functionality & infrastructure optimisation (cookie consent, privacy policy) | USA – Standard Contractual Clauses |
Section 10 – Audit Rights
Sellfaster GbR shall provide the Controller with all information reasonably required to demonstrate compliance with this Agreement. At the Controller's expense, Sellfaster GbR shall reasonably assist with audits by providing relevant documentation, certifications or third-party audit reports. Physical on-site inspections are excluded; the Controller accepts documentary evidence as an equivalent substitute.
Section 11 – Liability
Sellfaster GbR is liable for damages resulting from processing that does not comply with the Controller's instructions or is otherwise unlawful, in accordance with the GDPR and applicable national law.
The Controller is liable as the data controller for all processing carried out on its instructions or by its sales representatives via the Platform.
Section 12 – Final Provisions
12.1 Amendments
Sellfaster GbR reserves the right to amend this DPA in response to changes in legal requirements or technical infrastructure. The following notice periods apply:
- Standard amendments: Notice of at least 4 weeks before the amendment takes effect, sent by email to the registered contact address.
- Urgent amendments (e.g. legal obligation, security vulnerability, supervisory authority instruction): Notice within 48 hours. The Controller will be informed without delay and retains a right of extraordinary termination where the amendment materially affects its rights.
If the Controller does not object to a standard amendment in writing within the notice period, the amendment is deemed accepted.
12.2 Governing Law
This Agreement is governed by the laws of the Federal Republic of Germany. Place of performance and jurisdiction is [registered place of business of Sellfaster GbR].
12.3 Severability
If any provision of this Agreement is or becomes invalid, this does not affect the validity of the remaining provisions.
12.4 Priority
In the event of any conflict between this DPA and other agreements between the parties, this DPA shall take precedence in relation to data protection matters.
Execution
Form of Execution
| Option | Description | Legal Basis |
|---|---|---|
| Wet ink signature | Printed copy signed by both parties, exchanged by post or scanned copy by email | German Civil Code (BGB) §§ 126, 127 |
| Qualified Electronic Signature (QES) | Signing via services such as DocuSign, Adobe Sign or D-Trust with a qualified signature pursuant to eIDAS | eIDAS Art. 25(2), BGB § 126a |
| Acceptance via registered account * | Active confirmation in the Sellfaster dashboard after login – timestamp and user ID are logged server-side (as used by Cloudflare, New Relic and others) | Equivalent to text form, BGB § 126b |
* Acceptance via registered account constitutes a legally binding agreement, provided the Controller was logged in and authorised at the time of confirmation. Sellfaster GbR logs the timestamp, account ID and IP address and can provide these as evidence upon request.
Version: February 2026 – Sellfaster GbR – sellfaster.e