Data Processing Agreement (DPA)

1. Subject and Duration

This DPA covers the processing of personal data by the Data Processor in the context of providing the Managed Matrix Hosting Service. The duration of processing corresponds to the contract term.

2. Nature and Purpose of Processing

The Data Processor processes the following data on behalf of the Controller:

• Storage and relay of messages (encrypted)
• Management of user accounts and room memberships
• Storage of media files (encrypted in E2EE rooms)
• Processing of connection metadata for message delivery

3. Categories of Data Subjects

• Employees and members of the Controller
• External communication partners (via federation)

4. Categories of Personal Data

• Account data (name, email, profile picture)
• Communication contents (in E2EE rooms: encrypted ciphertext only)
• Metadata (timestamps, room memberships, device information)
• Media files (images, documents — encrypted in E2EE rooms)

5. Technical and Organizational Measures

• End-to-end encryption (Olm/Megolm) — contents unreadable by the Processor
• Database and media storage encryption at rest
• TLS 1.3 for all connections (in transit)
• Daily/hourly encrypted backups (depending on plan)
• Access control: SSH key-only, no password login on servers
• Hosting exclusively in Germany (Hetzner, Nuremberg/Falkenstein)
• Regular security updates and monitoring

6. Sub-processors

The following sub-processors are used:

• Hetzner Online GmbH (server hosting, Germany)
• Revolut Payments UAB (payment processing, Lithuania/EU)

7. Obligations of the Processor

• Processing only on documented instructions from the Controller
• Confidentiality obligations for all employees
• Support with data subject rights and data protection impact assessments
• Deletion of all data after contract termination (within 30 days)
• Notification of data breaches within 24 hours