LanguageTool Business Data Processing Agreement

Last Modified: 21 August 2024

[Need a signed copy? Click here.]

This Data Processing Agreement and its Annexes (“DPA”) reflects the agreement between each Party (set out in Appendix 1) with respect to the Processing of Personal Data by us on behalf of you in connection with the LanguageTool Services performed under the LanguageTool Service Terms for Business Customers and any applicable Order Form between you and us (collectively referred to in this DPA as the “Agreement”).

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order Form or an executed amendment to the Agreement. This DPA fulfills the mandatory requirements for appointing a processor under Art. 28 GDPR (and U.K. GDPR as applicable). Any definitions in this agreement shall be construed in accordance with the GDPR, unless otherwise specified. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement only to the extent of such conflict or inconsistency.

Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

In the event that this DPA is modified we will provide with the appropriate form of online notice of such changes, such as by email or by posting a notification on relevant website pages.

  1. Subject matter, nature and purpose of the processing, type of personal data and categories of data subjects:

    As set out in Appendix 1.

  2. Duration:

    The term of this DPA will follow the term of the Agreement.

  3. Obligations of the Processor

    The Processor:

    1. processes the personal data described in Appendix 1 only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

    2. ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

    3. takes all measures required pursuant to Article 32 GDPR; the specific obligations are laid out in Appendix 2.

    4. respects the conditions referred to in Art. 28 para. 2 and 4 GDPR for engaging another processor as specified under Section 4;

    5. taking into account the nature of the processing, assists the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR;

    6. assists the Controller in ensuring compliance with the obligations pursuant to Articles 32-36 GDPR taking into account the nature of processing and the information available to the Processor;

    7. at the choice of the Controller, deletes or returns all the personal data to the Controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;

    8. makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller which shall be subject to confidentiality requirements.

    9. With regard to point (h), the Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions..

  4. Authorization to engage subprocessors

    1. The Controller hereby provides the Processor with a general written authorization to employ subprocessors. All subprocessors currently used are set out in Appendix 3.

    2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of subprocessors, thereby giving the Controller the opportunity to object to such changes.

    3. Where the Processor subcontracts its obligations under this DPA, the Processor shall ensure that the subcontract imposes the same obligations on the subcontractor as are imposed on the Processor under this DPA. Processor shall remain fully liable to the Controller for the performance of the subprocessor’s obligations.

  5. Processing outside of the EU/EEA

    Processor will not transfer European data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European data protection laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European data protection laws. Such measures may include (without limitation) (i) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including the E.U.-U.S. Data Privacy Framework (including U.K. and Swiss Extensions (“Data Privacy Framework”); (ii) to a recipient that has achieved binding corporate rules authorization in accordance with European data protection laws; or (iii) to a recipient that has executed the Standard Contractual Clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.

    You acknowledge that in connection with the performance of the LanguageTool Business Services, Learneo (the Processor and owner of LanguageTool) is a recipient of European Data in the United States. To the extent that Learneo receives European Data in the United States, Learneo will comply with the following:

    1. Data Privacy Framework. Processor will use the Data Privacy Framework to lawfully receive European Data in the United States and ensure that it provides at least the same level of protection to such European Data as is required by the Data Privacy Framework Principles, and will let you know if it is unable to comply with this requirement.

    2. Standard Contractual Clauses. If European Data Protection Laws require that appropriate safeguards are put in place (for example, if the Data Privacy Framework does not cover the transfer to Processor and/or the Data Privacy Framework is invalidated), the Standard Contractual Clauses will be incorporated by reference and form part of the Agreement as follows:

      1. In relation to European Data that is subject to the EU GDPR (i) Customer is the "data exporter" and Processor is the "data importer"; (ii) the Module Two terms apply to the extent the Customer is a Controller of European Data and the Module Three terms apply to the extent the Customer is a Processor of European Data; (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the ‘Sub-Processors’ section of this DPA; (v) in Clause 11, the optional language is deleted; (vi) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be determined in accordance with the 'Contracting Entity; Applicable Law; Notice’ section of the Jurisdiction Specific Terms or, if such section does not specify an EU Member State, the Republic of Ireland (without reference to conflicts of law principles); (vii) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; (viii) the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR; and (ix) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.

      2. In relation to European Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

      3. In relation to European Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland".

  6. General Provisions

    1. Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

    2. Limitation of Liability. Each party and each of their Affiliates' liability, taken in aggregate, arising out of or related to this DPA (including any other DPAs between the parties) and the Standard Contractual Clauses, where applicable, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the 'Limitation of Liability' section of the Agreement.

Appendix 1 Subject matter, nature and purpose of the processing, type of personal data and categories of data subjects

List of Parties

Data Exporter: The data exporter (Controller) is: The Customer, as defined in the LanguageTool Business Terms and Conditions

  • Address: The Customer's address, as set out in the Order Form
  • Contact person’s name, position and contact details: The Customer's contact details, as set out in the Order Form and/or as set out in the Customer’s LanguageTool Account

Data Importer: The data importer (Processor) is: Learneo, Inc.

  • Address: 2000 Seaport Blvd., 3rd Floor, Redwood City, CA 94063
  • Contact person’s name, position and contact details: Barbara von dem Bussche, Data Protection Officer, DP-Dock GmbH, Ballindamm 39, 20095 Hamburg

Data Subjects: You may submit Personal Data in the course of using the Subscription Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

Your employees and authorized contractors.

Categories of data:

  • Contact Information (name and email address) used to create your account(s).
  • Any other Personal Data submitted by, sent to, or received by you, or your end users, via the LanguageTool Service.

Special categories of data (if appropriate) : N/A

Processing operations, subject matter, nature and purpose of the processing:

We will Process Personal Data as necessary to provide the LanguageTool Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the LanguageTool Service. Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:

  • Storage and other Processing necessary to provide, maintain and improve the Subscription Services provided to you; and/or
  • Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws

Appendix 2 Technical and organizational measures

Technical and organizational measures according to the GDPR

This list of measures applies to the office locations: Karl-Liebknecht-Str. 37 in 14482 Potsdam and Boschstr. 23a in 22761 Hamburg.

  1. Confidentiality (Article 32(1)(b) GDPR)

    1. Access control: No unauthorized access to data processing systems

      Technical measures Organizational measures
      Manual closing system Key regulation
      Security locks

    2. Access control: No unauthorized system use

      Technical measures Organizational measures
      Authentication with user password User authorization management
      Two-factor authentication, e.g. for all systems containing clients data Create user profiles
      Use of firewalls on the servers Defined password rules for developers
      Use of anti-virus software Password release procedure in IT policy/work instruction
      Technically defined password rules Careful selection of cleaning personnel

    3. Access control: no unauthorized reading, copying, modification or removal within the system

      Technical measures Organizational measures
      Proper destruction of data carriers (DIN 66399) Reduce the number of administrators to the "bare minimum".
      Logging the destruction of data Use of service providers for file and data destruction (with certificate if possible)
      Logging of accesses to applications, especially when entering, changing and deleting data Password management, incl. length and change according to policy
      Encryption of mobile work devices - notebooks with developers Regular review of employee access rights
      Allocation of authorizations according to the need-to-know principle

    4. Segregation control: Separate processing of data collected for different purposes.

      Technical measures Organizational measures
      Anonymization of data sets and subsequent separate processing (analytic system) Creation of an authorization concept
      Separation of productive and test system Setting database rights
      Logical client separation (on the software side)

    5. Pseudonymization (Art. 32 para. 1 lit. a DS-GVO; Art. 25 para. 1 DS-GVO):

      The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without recourse to additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures, where necessary;

  2. Integrity, availability and resilience (Art. 32 (1) (b) GDPR)

    1. Transfer control: No unauthorized reading, copying, modification, or removal during electronic transmission or transport.

      Technical measures Organizational measures
      Developer laptops are encrypted, access protection of the hardware by user account and password Log files for documentation and verification of server accesses.
      Content encryption as needed, if required Authorization concept
      Transport encryption

    2. Input control: Determining whether and by whom personal data have been entered into, changed or removed from data processing systems, e.g.: Logging, document management.

      Technical measures Organizational measures
      Logging of data entry, modification and deletion (user database) - log files are deleted after 14 days Traceability of data entry, modification and deletion through individual user names (not user groups)
      Assignment of rights to enter, change and delete data on the basis of an authorization concept

    3. Availability control and rapid recoverability (Article 32(1)(c) GDPR): Protection against accidental or intentional destruction or loss and provisions to restore the data as quickly as possible.

      Organizational measures
      Keeping data backup in a secure, off-site location
      Backup & recovery concept
      Emergency plan
      Definition of reporting channels
      Testing data recovery

  3. Procedures for regular review, assessment and evaluation (Article 32(1)(d) GDPR; Article 25(1) GDPR)

    1. Data protection management

      Technical measures Organizational measures
      Regular penetration tests Appointment of a data protection officer
      Incident Response Management Regular reporting to the management
      Information/IT security concept
      Data protection concept
      Regular internal review / update of the measures taken in accordance with the state of the art (by DPO, IT audit, etc.)

    2. Data protection-friendly default settings and data protection through technology design (Art. 25 (2) GDPR)

      Technical measures Organizational measures
      Use of opt-in solutions Transparent data processing (function, monitoring by the data subject)
      Minimization of mandatory fields until registration Rules on data minimization, data economy and necessity
      Clear labeling of voluntary information
      Limitation of the data and further use to the necessary extent
      Automated deletion functions for log files

  4. Commissioning control: commissioned processing within the meaning of Art. 28 GDPR

    Technical measures Organizational measures
    Verification of all contractually assured technical measures, e.g. by submission of certifications Selection of the contractor under due diligence aspects (especially with regard to data security)
    Prior examination of the safety measures taken at the contractor and corresponding documentation with evidence
    Regular review of the contractor with regard to data protection/data security
    Conclusion of contracts for commissioned processing, taking into account all legal requirements in accordance with Art. 28 GDPR

Appendix 3 – Subprocessors

Subcontractor Name Address Detail
Telekom Germany GmbH Landgrabenweg 151,
53227
Bonn		 Cloud service and server for hosting the websites and servers running the text checking software.
Hetzner Online GmbH Industriestr. 25,
91710
Gunzenhausen		 Cloud service and server for hosting the websites and servers running the text checking software.
Amazon Web Services EMEA SARL Germany branch: Marcel-Breuer- Str. 12, 80807
Munich		 Cloud service for the database where access data and usage logs are stored. Only when using the online editor (languagetool.org/editor) or the desktop app for the Mac and Windows: storage of customer texts written in online editor/desktop app.
Cloudflare, Inc. 101 Townsend St.
San Francisco, CA 94107
USA		 Only for languagetool.org Cloud service to determine approximate user location at country level and proxy service for DDoS prevention.
Open AI LLC 548 Market Street, PMB
97273, San Francisco,
California 94104-5401
USA		 Only when using the rephrasing feature: generation of alternative wordings.
Aleph Alpha GmbH Grenzhöfer
Weg 36, 69123
Heidelberg		 For generation of alternative wordings with rephrasing feature
Google Cloud Platform Google Building
Gordon House, 4 Barrow St,
Grand Canal Dock, Dublin 4,
D04 V4X7, Ireland		 Cloud service and server for hosting the websites and servers running the text checking software
LanguageTooler GmbH Karl-Liebknecht-Str. 37
14482 Potsdam (Germany)		 Local Learneo affiliate entity in Germany responsible for some data processing performed to provide the LanguageTool service
Amplitude, Inc. 201 Third Street, Suite 200
San Francisco, CA 94103		 Service provider utilized to perform processing activities related to data analytics and performance measurement.