pursuant to Art. 28 GDPR
Last updated: April 2026
This translation is provided for information purposes only. Only the German version is legally binding. Go to the German version
This Data Processing Agreement (hereinafter “DPA”) specifies the data protection obligations of the contracting parties arising from the usage agreement concluded between them concerning the RIKE platform (hereinafter the “Main Agreement”). It applies to all activities in which Vegvísir GmbH (hereinafter the “Processor”) processes personal data of the customer (hereinafter the “Client” or “Controller”) on the Client's behalf.
(1) The subject matter of the data processing is the provision of the cloud-based SaaS platform RIKE for the management of members, events, documents, communication, and other association- and club-related processes in accordance with the Main Agreement.
(2) The duration of the data processing corresponds to the term of the Main Agreement. It begins with the provision of the platform and ends upon termination of the contract, but no later than upon the final deletion of all Client data pursuant to § 10 of this DPA.
Nature of the processing: Collection, storage, structuring, adaptation, retrieval, transmission, erasure, restriction, and other operations associated with the provision of the platform.
Purpose of the processing: Enabling the Client's contractual use of the RIKE platform for the organization and management of its club or association.
Types of personal data:
Categories of data subjects:
Special categories of personal data within the meaning of Art. 9 GDPR are not the subject of the data processing. The Client is obliged not to enter such data into the platform without prior coordination and additional technical safeguards.
(1) The Processor processes personal data exclusively within the scope of the agreements made and in accordance with the documented instructions of the Client, unless it is required by law to carry out other processing. In such a case, the Processor shall inform the Client of these legal requirements prior to the processing, unless the law in question prohibits such notification on important grounds of public interest.
(2) The Processor shall inform the Client without undue delay if it considers that an instruction infringes data protection provisions. The Processor is entitled to suspend the execution of the relevant instruction until it has been confirmed or amended by the Client.
(3) The Processor ensures that the persons authorized to carry out the processing have committed themselves to confidentiality or are subject to an appropriate statutory obligation of secrecy.
(4) The Processor implements the technical and organizational measures described in § 5 in accordance with Art. 32 GDPR and maintains them for the duration of the contract.
(5) The Processor supports the Client, within the scope of its capabilities, in fulfilling the requests and claims of data subjects pursuant to Chapter III of the GDPR and in complying with the obligations set out in Art. 32 to 36 GDPR.
(6) The Processor has appointed an external data protection officer where required by law. The contact details will be provided to the Client upon request.
(1) Within the scope of this agreement, the Client is solely responsible for compliance with the statutory provisions of data protection law, in particular for the lawfulness of the transfer of data to the Processor and for the lawfulness of the data processing (“controller” within the meaning of Art. 4(7) GDPR).
(2) The Client shall, as a rule, issue its instructions in writing or in text form (e.g. by email to support@rike.club). Verbal instructions must be confirmed in writing or in text form without undue delay.
(3) The Client shall notify the Processor of the persons authorized to issue instructions. In case of doubt, the users registered as administrators in the system are deemed authorized to issue instructions.
(4) The Client shall inform the Processor without undue delay if it detects errors or irregularities in connection with the processing of personal data by the Processor.
In accordance with Art. 32 GDPR, the Processor ensures the security of the processing through appropriate technical and organizational measures. These include, in particular:
1. Confidentiality
2. Integrity
3. Availability and Resilience
4. Procedures for Regular Review, Assessment, and Evaluation
The current version of the TOMs will be made available to the Client in detailed form upon request. The Processor is entitled to adapt the TOMs in the course of technical development, provided that the level of protection agreed in this DPA is not reduced.
(1) The Client consents to the use of the following subprocessors:
| Name | Registered office | Service |
|---|---|---|
| Vercel Inc. | USA (EU data centers in Frankfurt) | Web hosting, edge delivery |
| Supabase Inc. | Singapore (EU data centers in Frankfurt) | Database, authentication, file storage |
| Stripe Payments Europe, Ltd. | Ireland | Payment processing |
| Resend, Inc. | USA | Transactional emails |
| Anthropic PBC | USA | AI assistant (Platin plan only) |
(2) The Processor has concluded agreements pursuant to Art. 28 GDPR with all subprocessors named above which ensure a level of protection comparable to this DPA. For transfers to third countries, Standard Contractual Clauses of the EU Commission pursuant to Art. 46 GDPR together with supplementary safeguards are in place.
(3) The Processor shall inform the Client in text form in good time before engaging or replacing a subprocessor (e.g. by email to the admin address on file or by notice within the platform). The Client may object to the change in text form within 14 days of receipt of the notification on important grounds relating to data protection law.
(4) If the Client objects on justified grounds, the Processor is entitled to terminate the contract with 30 days' notice if an amicable solution cannot be reached.
(5) Services which the Processor obtains from third parties as purely ancillary services (e.g. telecommunications services, postal and transport services, cleaning, maintenance staff) do not constitute subprocessing within the meaning of this provision.
(1) The Processor shall, where possible, support the Client with appropriate technical and organizational measures in fulfilling the rights of data subjects pursuant to Art. 12 to 22 GDPR (access, rectification, erasure, restriction, data portability, objection).
(2) If a data subject contacts the Processor directly to exercise their rights, the Processor shall forward this request to the Client without undue delay.
(3) The Client uses the access, rectification, and deletion functions provided in the platform administration on its own and uses them independently to handle data subject rights.
(1) The Processor shall inform the Client without undue delay, but no later than within 48 hours of becoming aware, of any breaches of the protection of the Client's personal data (Art. 33 GDPR).
(2) The notification shall include at least:
(3) The Processor supports the Client in fulfilling its notification obligations towards the supervisory authority (Art. 33 GDPR) and in notifying the data subjects (Art. 34 GDPR).
(1) The Client has the right to satisfy itself of the Processor's compliance with the obligations under this DPA. For this purpose, the Processor shall provide the Client with the necessary information upon request, in particular:
(2) If, in the Client's view, the submission of the aforementioned documents is not sufficient, the Client may, once a year or where there is specific cause, have an on-site inspection carried out by an expert third party designated by it. The third party must not be a competitor of the Processor and must be bound to confidentiality.
(3) Inspections must be announced in text form with at least 30 days' notice and must take place during normal business hours without disproportionately disrupting business operations.
(4) The Client bears the costs of the inspection. The Processor is entitled to charge a reasonable fee for its own expenses.
(1) Upon completion of the data processing – at the latest upon termination of the Main Agreement – the Processor shall make an export of the Client's data available to the Client via the platform for 30 days in a common, machine-readable format (e.g. JSON/CSV).
(2) After expiry of the export period, the Processor shall delete all personal data processed under the Main Agreement irrevocably and in compliance with data protection law, including any copies held by subprocessors, unless statutory retention obligations prevent deletion.
(3) Backup data is deleted as part of the regular backup rotation, but no later than within 90 days after the end of the contract.
(4) The deletion will be confirmed to the Client in writing or in text form upon request.
The liability of the parties is governed by the provisions of the Main Agreement accordingly, unless otherwise provided in this DPA. Art. 82 GDPR remains unaffected.
(1) This DPA supplements the Main Agreement. Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions shall remain unaffected. The invalid provision shall be deemed replaced by the valid provision that most closely reflects the meaning and purpose of the invalid provision.
(2) In the event of contradictions between this DPA and the Main Agreement, the provisions of this DPA shall prevail insofar as they concern data protection matters.
(3) The law of the Federal Republic of Germany applies. The exclusive place of jurisdiction is Hamburg.
This DPA automatically becomes part of the contract upon conclusion of the Main Agreement (ordering a paid plan via the rike.club platform). A separate signature is not required; the Client accepts this DPA implicitly by concluding the Main Agreement.
Upon request, the Processor will provide a separately signed version of this DPA. Please send requests to support@rike.club.
Vegvísir GmbH
Ballindamm 27
20095 Hamburg
Germany
Managing Director: Mark C. Reinold
HRB 178193, Local Court (Amtsgericht) of Hamburg
VAT ID: DE357182449