# Netcup DPA Annex 3 - Processing Specifications Guide This guide helps you fill out Annex 3 of the Netcup Data Processing Agreement. ## Your Specific Situation Based on your infrastructure: - **Hosting Provider**: netcup GmbH (Germany) - **CDN/Security**: Cloudflare - **Newsletter**: Listmonk (self-hosted on Netcup) - **Analytics**: Vercel Analytics --- ## Section 1: Subject (Nature & Purpose) of the Processing **Recommended text to enter:** ``` Web hosting and delivery of websites and web applications. This includes: - Serving static and dynamic web content to visitors - Processing contact form submissions - Managing newsletter subscriptions (via self-hosted Listmonk) - Collecting anonymized website analytics - Storing user-generated content where applicable ``` --- ## Section 2: Duration of the Processing This is automatically determined by your contract term with Netcup. --- ## Section 3: Location of the Processing The location is determined by your Netcup server location. For your RS 8000 G12 Pro: - **Primary Location**: Nuremberg, Germany (EU) - **Additional Processing**: Via Cloudflare's global network (with EU data residency options) --- ## Section 4: Categories of Data Subjects **Check the following boxes:** - [x] **Customers** - if you have any e-commerce or client portals - [x] **Interested parties** - potential customers visiting your sites - [ ] **Suppliers** - only if you process supplier data - [x] **Visitors to the website** - all website visitors - [ ] **Employees of the Client** - only if you have employee data on the sites - [ ] **External employees** - only if applicable - [ ] **Data processors, other processors** - only if you subcontract - [x] **Newsletter subscribers** - you use Listmonk **Additional data subjects (if any):** ``` Event attendees (if you host events/conferences) Community members (if you have user accounts) ``` --- ## Section 5: Categories of Personal Data **Check the following boxes:** - [x] **Name data** - contact forms, newsletter signups - [ ] **Date of birth** - only if you collect this - [ ] **Bank and payment data** - only if you handle payments directly - [ ] **Location and geographic information data** - only if you track location - [ ] **Education data** - only if relevant to your sites - [ ] **Traffic data** - only if you log detailed traffic - [ ] **Data relevant to criminal law** - NO - [x] **Contact and address data** - contact forms - [ ] **Customer contract data** - only if you have customer portals - [ ] **Login and authentication** - only if you have user accounts - [ ] **Preference and behavior data** - only if you track preferences - [ ] **Motion profile data** - NO - [ ] **Photo, video, or audio data** - only if you store media **Additional data types:** ``` Email addresses IP addresses (anonymized for analytics) Browser/device information (anonymized) Cookie consent preferences ``` --- ## Special Categories of Data (Art. 9 GDPR) **IMPORTANT**: Select the first option unless you specifically process sensitive data. - [x] **No special categories of personal data ("sensitive data") according to Art 9 GDPR are processed.** If any of your sites deal with health, religion, political opinions, biometric data, etc., you would need to check the second option and specify which categories. --- ## Complete Form Example Here's how your completed Annex 3 should look: ### 1. Subject Matter ``` Web hosting and content delivery for multiple websites and web applications including: - Static and dynamic website hosting - Newsletter subscription management (Listmonk) - Contact form processing - Anonymized web analytics collection - Content management systems ``` ### 4. Data Subjects (check these): - [x] Interested parties - [x] Visitors to the website - [x] Newsletter subscribers - [x] Customers (if applicable) ### 5. Personal Data Categories (check these): - [x] Name data - [x] Contact and address data **Additional data:** ``` Email addresses IP addresses (anonymized) Browser user agent information Cookie consent preferences Website usage data (anonymized) ``` ### Special Categories: - [x] No special categories of personal data are processed --- ## After Submitting 1. **Save a copy** of the completed agreement for your records 2. **Date it** when you submit 3. **Review annually** to ensure it still accurately reflects your processing activities --- ## Tips 1. **Be conservative** - only check categories you actually process 2. **When in doubt, exclude** - you can always add categories later 3. **Keep it updated** - if you add new features that collect data, update the DPA 4. **Document everything** - maintain your own Records of Processing Activities (ROPA)