This is a courtesy translation. The legally binding version is the German original.
Data Processing Agreement
pursuant to Art. 28 General Data Protection Regulation (GDPR)
CalDAVconnect – calendar synchronization service
Processor (Service Provider)
| Company | Mediakreativ UG (haftungsbeschränkt) |
| Managing Director | Christian Schindler |
| Address | Herrengasse 2, 06542 Allstedt, Germany |
| Commercial register | Amtsgericht Stendal, HRB 31481 |
| VAT ID | DE 322458269 |
| hello@caldavconnect.de | |
| Website | caldavconnect.de |
The controller is the registered user of the service. The contractual relationship arises from registration and acceptance of the General Terms and Conditions.
Upon request, the processor will provide an individually signed copy of this agreement.
§ 1 Subject Matter and Duration
(1) The processor operates the calendar synchronization service CalDAVconnect (hereinafter the “Service”). The Service enables bidirectional synchronization of CalDAV calendars (e.g. Nextcloud, SOGo, Radicale, Baikal, Synology, Infomaniak, mailbox.org, Posteo, Fastmail) with cloud calendar platforms (Google Calendar, Microsoft 365).
(2) In providing the Service, the processor processes personal data on behalf of and in accordance with the instructions of the controller pursuant to Art. 28 GDPR.
(3) This agreement applies from the time of acceptance (registration / commencement of use) and runs for an indefinite period. It ends automatically when the main contract (grant of use / user agreement) between the parties is terminated.
§ 2 Nature and Purpose of Processing
(1) The processor processes personal data solely for the purpose of performing the main contract, in particular:
- Retrieving calendar events from the controller’s CalDAV server
- Transmitting calendar events to Google Calendar and/or Microsoft 365
- Receiving calendar changes from Google Calendar/Microsoft 365 via webhook
- Encrypted interim storage of sync metadata and calendar data (shadow data) to enable bidirectional synchronization
(2) The processor does not process data for its own purposes.
§ 3 Types of Personal Data
The following categories of personal data are processed under this processing agreement:
| Data Category | Encryption |
|---|---|
| Calendar events (title, description, date, time, location, participant e-mail addresses) | AES-256-GCM |
| CalDAV server credentials (username, URL; password stored encrypted) | AES-256-GCM |
| OAuth tokens for Google Calendar and Microsoft 365 | AES-256-GCM |
| Sync metadata (sync tokens, delta links, CTag values, timestamps) | — |
| Technical log data (IP addresses, timestamps, error messages) | — |
| User e-mail address and name | — |
Special categories (Art. 9 GDPR)
If the controller synchronizes calendars containing health data (e.g. a medical practice with patient names in appointment titles), these constitute special categories of personal data pursuant to Art. 9 GDPR. In that case, the controller is responsible for ensuring that an appropriate legal basis under Art. 9(2) GDPR exists.
§ 4 Categories of Data Subjects
The following are affected by the processing:
- Users of the Service (the controller itself and, where applicable, employees)
- Third parties whose data is contained in calendar events (e.g. meeting participants, patients, customers)
§ 5 Obligations of the Processor
(1) The processor processes personal data solely in accordance with the documented instructions of the controller, unless it is required to process the data under Union or Member State law.
(2) The processor ensures that persons authorized to process the data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
(3) The processor assists the controller, as far as possible, in responding to requests from data subjects exercising their rights under Chapter III GDPR.
(4) The processor assists the controller in complying with the obligations referred to in Art. 32–36 GDPR (data security, breach notification, data protection impact assessment).
(5) Upon completion of the processing services, the processor deletes or returns all personal data unless Union or Member State law requires storage.
(6) The processor makes available to the controller all information necessary to demonstrate compliance with the obligations set out in Art. 28 GDPR.
§ 6 Technical and Organizational Measures (TOMs)
The processor has implemented appropriate technical and organizational measures pursuant to Art. 32 GDPR, in particular:
Confidentiality
| Encryption at rest | AES-256-GCM for all credentials, OAuth tokens, and calendar content (BSI TR-02102-1 compliant) |
| Key management | Envelope encryption: the data encryption key (DEK) is protected by a key encryption key (KEK) stored on a physically separate server in a private network |
| Transport encryption | TLS 1.3 (browser ↔ server), TLS 1.2+ (API communication) |
| Access control | Only authorized persons have access to production systems; key server with dedicated SSH keys, IP allowlisting, and bearer token authentication |
| Cloud firewall | IP-based access restriction at network level (Hetzner Cloud Firewall); SSH access limited to authorized IP addresses |
| VPN access | Administrative access to production systems exclusively via encrypted VPN (Tailscale, WireGuard-based) |
| OAuth 2.0 | Connection to Google Calendar and Microsoft 365 via OAuth (no password storage for cloud accounts) |
Integrity
| Authenticated encryption | GCM authentication tag detects tampering with encrypted data |
| Sync logging | Logging of all sync operations with timestamps |
| Conflict detection | Detection and handling of sync conflicts |
| CSRF protection | Laravel CSRF token validation |
| SQL injection prevention | Eloquent ORM with prepared statements |
| XSS protection | Blade templates with automatic output escaping |
Availability and resilience
| Hosting | Hetzner Online GmbH, Nuremberg data center, Germany |
| Backups | Daily PostgreSQL backups (Hetzner Object Storage, 14-day retention, EU) |
| Recovery | Backup restore tested; encryption keys stored separately |
| Rate-limit resilience | Automatic backoff on API throttling |
| Fault isolation | Sync errors in individual connections do not affect other connections |
| Monitoring | Automated error monitoring of all sync connections; alerting on system outages |
| Real-time alerting | Push notifications for security-relevant events (SSH logins, critical errors, unauthorized key server access); alerts do not contain personal user data |
Verification procedures
| Regular review | Regular review of security measures |
| Request logging | Logging of all access to the key server (12-week retention) |
| E-mail security | DNSSEC, SPF, DKIM, DMARC, and MTA-STS for all business e-mail |
§ 7 Sub-Processing
(1) The processor currently uses the following sub-processors:
| Service Provider | Location | Purpose |
|---|---|---|
| Hetzner Online GmbH | Nuremberg, Germany | Server hosting and infrastructure |
| Lettermint | Netherlands (EU) | Transactional e-mail delivery |
| Plausible Analytics | EU | Privacy-friendly web analytics |
| ntfy.sh (Philipp C. Heckel) | Germany / EU | System monitoring and real-time alerting (no personal user data) |
| Google LLC | USA (SCCs) | Google Calendar API |
| Microsoft Corporation | USA (SCCs) | Microsoft Graph API |
(2) The processor will notify the controller of changes to sub-processing relationships at least 30 days in advance. The controller may object to sub-processors.
(3) For transfers to third countries to Google LLC and Microsoft Corporation, the EU Commission-approved standard contractual clauses (SCCs) are used as appropriate safeguards pursuant to Art. 46(2)(c) GDPR.
§ 8 Rights of Data Subjects
(1) The processor assists the controller in handling requests from data subjects to exercise their rights under Art. 15–22 GDPR (access, rectification, erasure, restriction, portability, objection).
(2) If a data subject contacts the processor directly, the processor will forward the request to the controller without undue delay.
§ 9 Data Breach Notification
(1) The processor assists the controller in complying with its obligations under Art. 33 and 34 GDPR (notification of personal data breaches).
(2) The processor will notify the controller of personal data breaches without undue delay and in any event no later than 72 hours after becoming aware of them. Notification will be sent by e-mail to the address provided by the controller.
§ 10 Controller's Right of Audit
(1) The controller is entitled to verify, or have verified by a third party, the processor’s compliance with the provisions of this agreement to an appropriate extent.
(2) Upon request, the processor will provide the controller with all information necessary for this purpose and will permit inspections where proportionate and announced with reasonable notice (at least 5 business days).
(3) Alternatively, the processor may provide current certifications or audit reports from recognized bodies, where available.
§ 11 Controller's Right of Instruction
(1) The controller has the right to issue instructions regarding the processing of personal data.
(2) Instructions are generally given through configuration in the user account (e.g. selection of calendars to synchronize, sync direction). Further instructions must be given in writing (e-mail is sufficient).
(3) If the processor considers an instruction to violate data protection law, it may suspend execution until the matter is clarified and will inform the controller.
§ 12 Deletion and Return of Data
(1) Upon termination of the main contract, the processor deletes all of the controller’s personal data unless statutory retention obligations apply.
(2) Deletion includes in particular:
- CalDAV credentials (encrypted)
- OAuth access and refresh tokens (encrypted)
- Shadow data of all calendar events (encrypted)
- Event mappings and sync logs
- User data (name, e-mail, password hash)
(3) External webhooks (Google, Microsoft) are actively stopped before deletion.
(4) Deletion takes place no later than 30 days after termination of the contract. Database backups are overwritten in the course of regular backup rotation after a maximum of 14 days.
(5) Upon request, the processor confirms deletion in writing.
§ 13 Liability
(1) For damages arising from a breach of this agreement or the GDPR, the parties are liable in accordance with applicable law, in particular pursuant to Art. 82 GDPR.
(2) The controller indemnifies the processor against third-party claims based on processing instructed by the controller that violates applicable law.
§ 14 Final Provisions
(1) This agreement is governed by the laws of the Federal Republic of Germany, excluding the UN Convention on Contracts for the International Sale of Goods.
(2) Place of performance and exclusive place of jurisdiction for all disputes arising from this agreement is Allstedt, where permitted by law.
(3) Amendments and supplements to this agreement require text form (e-mail is sufficient).
(4) Should individual provisions of this agreement be or become invalid, the validity of the remaining provisions shall remain unaffected.
(5) In the event of conflicts between this agreement and the main contract, the provisions of this agreement shall prevail with respect to data processing.
Note: This DPA does not replace legal advice. If in doubt, consult a lawyer specializing in data protection law.
Last updated: April 2026 – Version 1.1