Services
All Services
Highlights
All Highlights

  • Next Gen Signals: Five trends reshaping how Gen Z and Gen Alpha connect with brands in 2026

    Gen Z & Gen Alpha 2026: 5 Trends Redefining How Young Audiences Experience Brands
    Read more

  • Artificial intelligence or human? The only viable option is both together!

    AI is revolutionizing marketing – but it can't work without the human element. Three perspectives from practice show what this means.
    Read more

For individual solutions

You are welcome to discover our Houses of Communication, where you will find fully integrated and individualised offerings.

Let's talk
Highlights
All Highlights
TWELVE Media Platform as Typo on a colorful background

TWELVE is our platform for communication, inspiration and meaningful discussion. Using a variety of media formats, we address relevant topics, share practical knowledge and experiences, present new approaches and perspectives, and provide valuable insights.

TWELVE

  • Rügenwalder & Serviceplan Give Pop Fans €100K Media Space

    Rügenwalder Mühle, with Serviceplan Hamburg and Serviceplan Culture, gave Berlin pop fans €100K in media space, showing brands as enablers of culture and community.
    Read more

  • Serviceplan Group named Independent Network & Agency 2025

    Serviceplan Group was named Independent Network of the Year at Cannes Lions 2025, winning a record 19 Lions, while Serviceplan Munich earned Independent Agency of the Year.
    Read more
Serviceplan Logo on a decorative background image
Serviceplan

Expertise for (Über)Creativity & Content
Mediaplus Logo on adecorative background image
Mediaplus

Leading independent media agency with 2,500 experts at 25 locations worldwide. Data-driven media consulting, planning and implementation for maximum efficiency.
Plan.Net Logo on adecorative background image
Plan.Net

Expertise for Digital Experience & Technology

© Serviceplan Group 2026

locations
Get in touch with us
Sabrina Alberti-Hager
Corporate Communications
Sabrina Alberti-Hager
Serviceplan Group
Let's get in touch with us!
Sabrina Alberti-Hager
Sabrina Alberti-Hager
Serviceplan Group
Corporate Communications
Let's get in touch with us!
Bitte geben Sie eine gültige E-Mail-Adresse ein

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Simon Fundner
Global Client Development
Felix Bartels
Serviceplan Group
Let's get in touch with us!
Simon Fundner
Felix Bartels
Serviceplan Group
Global Client Development
Let's get in touch with us!
Bitte geben Sie eine gültige E-Mail-Adresse ein

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Nina Stechl
Human Resources
Nina Stechl
Serviceplan Group
Let's get in touch with us!
Nina Stechl
Nina Stechl
Serviceplan Group
Human Resources
Let's get in touch with us!
Bitte geben Sie eine gültige E-Mail-Adresse ein

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Data Processing Agreement

 

These Data Processing Agreement Terms ("DPA") form an integral part of the AGREEMENT to the extent PROVIDER processes personal data of the CUSTOMER based on CUSTOMER's instructions under the Agreement. As per this DPA, CUSTOMER is acting as the controller of personal data as defined in the General Data Protection Regulation ("CONTROLLER") whilst the PROVIDER is acting as the processor as stipulated in the General Data Protection Regulation ("PROCESSOR"). Both are hereinafter collectively referred to as the "PARTIES" and individually a "PARTY".

Unless otherwise defined in this DPA, the definitions of the AGREEMENT apply to this DPA.

1. General Provisions

The PROCESSOR shall process personal data only on behalf of and in accordance with the documented instructions of the CONTROLLER, under and for the purposes of the AGREEMENT and in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and any other applicable data protection laws.

The CONTROLLER has selected the PROCESSOR as a supplier in accordance with the duty of care under applicable data protection laws. This DPA constitutes the data processing agreement within the meaning of Art. 28 GDPR, governing the rights and obligations of the PARTIES with respect to data processing.

"PERSONAL DATA" or "DATA" means any information relating to an identified or identifiable natural person (hereinafter referred to as "DATA SUBJECT").

The term "PROCESSING" shall be understood in a broad sense. This includes any operation or series of operations carried out with or without the use of automated procedures in connection with PERSONAL DATA, such as collection, gathering, organization, arrangement, storage, adaptation or modification, reading, retrieval, use, disclosure by transmission, dissemination or any other form of provision, matching or linking, restriction, deletion or destruction.

"INSTRUCTION" means an instruction by the CONTROLLER to the PROCESSOR, issued in a documented form, to perform a specific action regarding PERSONAL DATA (e.g. anonymization, blocking, deletion, disclosure). If necessary, an INSTRUCTION can be issued orally or by telephone; such INSTRUCTIONS shall be confirmed by the CONTROLLER without undue delay in a documented form.

The CONTROLLER retains all rights in the DATA. At the request or upon termination of the Agreement, PROCESSOR shall return or delete the DATA in accordance with this DPA. The PROCESSOR shall not assert any right of retention over the CONTROLLER's DATA, except where required by applicable law.

2. Scope and Purpose of Processing

The purpose of this DPA is to set out the scope, purpose and subject matter of the DATA PROCESSING carried out by the PROCESSOR on behalf of the CONTROLLER under the Agreement.

The PROCESSOR shall process PERSONAL DATA solely to the extent necessary for providing, administering, and operating the SOFTWARE under the Agreement and only in accordance with the CONTROLLER's INSTRUCTIONS.

The categories of DATA SUBJECTS and types of PERSONAL DATA processed are specified in Appendix 1.

The PROCESSING of special categories of PERSONAL DATA within the meaning of Art. 9 GDPR may occur where necessary for the provision of the services and where the CONTROLLER has lawfully collected such DATA and provided INSTRUCTIONS for their processing.

3. Controller's Rights and Obligations

The CONTROLLER is the controller in the meaning of applicable data protection laws with respect to PROCESSOR's PROCESSING of the DATA. The CONTROLLER will decide about the admissibility of the PROCESSING.

The CONTROLLER may at any time issue additional or amended INSTRUCTIONS regarding the purpose, type and scope of PROCESSING.

The CONTROLLER will be responsible for ensuring DATA SUBJECTS' rights. DATA SUBJECTS' rights are to be exercised towards the CONTROLLER.

The CONTROLLER may inform the PROCESSOR of any error of irregularity in the PROCESSING of the DATA by the PROCESSOR.

4. Processor's Obligations and Responsibilities

The PROCESSOR shall process DATA only within the scope of the Agreement and this DPA, including any INSTRUCTIONS issued by the CONTROLLER.

The PROCESSOR shall not make copies of PERSONAL DATA for its own purposes. Copies may be made only where necessary to provide the services, ensure proper PROCESSING (including backups and redundancy), or comply with legal obligations.

The PROCESSOR shall support the CONTROLLER in any inspections or information requests by competent supervisory authorities relating to the PROCESSING under this DPA and shall promptly inform the CONTROLLER of any such inquiries or measures that concern the CONTROLLER's DATA.

Where required by law, the PROCESSOR shall appoint a data protection officer and provide the CONTROLLER with the officer's contact details. If no DPO is required, the PROCESSOR shall designate a contact point for data protection matters.

The PROCESSOR shall, without undue delay, inform the CONTROLLER if and why the PROCESSOR deems certain INSTRUCTIONS unlawful.

The PROCESSOR shall, upon reasonable request, provide the CONTROLLER with the information necessary to enable the CONTROLLER to maintain accurate and up-to-date records of processing activities in accordance with Art. 30 GDPR and other applicable data protection laws.

The PROCESSOR shall, to the extent reasonably required, assist the CONTROLLER in fulfilling its obligations under Art. 32 to 36 GDPR, including data security, data protection impact assessments, and prior consultations with supervisory authorities. Such assistance shall consist of providing relevant documentation, technical information, or cooperation as reasonably necessary to demonstrate compliance, taking into account the nature of the PROCESSING and the information available to the PROCESSOR.

If the PROCESSOR is required to disclose the DATA or information about the PROCESSING or this DPA, the PROCESSOR shall inform the CONTROLLER in writing and prior to such disclosure about the recipients, the time and the content of the disclosure as well as the legal grounds.

The PROCESSOR shall, upon reasonable request, correct, delete or block DATA in accordance with the CONTROLLER's INSTRUCTIONS and applicable law. The PROCESSOR shall confirm completion upon request by the CONTROLLER. Legal data retention obligations remain unaffected.

The PROCESSOR shall implement and maintain procedures to ensure compliance with this DPA and applicable data protection laws. Upon reasonable request, the PROCESSOR shall provide evidence of compliance (e.g., ISO 27001, SOC 2, or equivalent documentation).

If the CONTROLLER's PERSONAL DATA stored by the PROCESSOR were to become endangered due to attachment or sequestration, insolvency or composition proceedings or other events or measures by third parties, the PROCESSOR shall inform the CONTROLLER hereof without undue delay. The PROCESSOR shall inform all persons responsible in this context without undue delay that the rights to and ownership of the DATA lie solely with the CONTROLLER.

5. Data Breach Notification

In the event of a breach of PERSONAL DATA, the PROCESSOR shall notify the CONTROLLER without undue delay, and in any case no later than 48 hours after becoming aware of the breach.

The notification shall at least:

  • describe the nature of the breach of PERSONAL DATA including, where possible, the categories and approximate number of DATA SUBJECTS and data records concerned;
  • communicate the name and contact details of the PROCESSOR's data protection officer or other contact point;
  • describe the likely consequences of the breach of PERSONAL DATA; and
  • describe the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

The PROCESSOR shall cooperate fully with and assist the CONTROLLER in complying with the CONTROLLER's obligations under Art. 33 and 34 GDPR.

6. Data Subjects' Rights

If a DATA SUBJECT contacts the PROCESSOR directly for the purpose of access, correction, deletion or blocking, restriction of processing or objection with regard to DATA concerning him, the PROCESSOR shall immediately forward this request to the CONTROLLER. The PROCESSOR will not contact the DATA SUBJECT concerned, unless the CONTROLLER has instructed the PROCESSOR to do so. Information may only be provided upon prior instruction by the CONTROLLER.

Upon first request, the PROCESSOR shall support the CONTROLLER in fulfilling the claims of DATA SUBJECTS for access, correction, blocking or deletion, restriction of processing or objection. This includes in particular that the PROCESSOR informs the CONTROLLER within a reasonable timeframe, of the information required to fulfil the claim.

7. Sub-Processors

The CONTROLLER generally authorizes the PROCESSOR to engage with sub-processors for the purposes of data processing outlined in this DPA, provided the PROCESSOR complies with the obligations stipulated under this Clause 7. An overview of all currently used sub-processors is available at LINK. The third-party AI Agents used (i.e. sub-processors in this context) are available at https://www.sokosumi.com/de. Depending on which additional third-party AI Agents the AI Agent engaged by the CONTROLLER on the platform decides to use, the sub-processor(s) engaged may vary, are specifically listed in each job summary report, and can be accessed via a link to https://www.sokosumi.com/de. Changes and/or updates to the third-party AI Agents used (sub-processors) are available at https://www.sokosumi.com/de, thereby allowing the CONTROLLER to opt which AI Agent to choose.

The PROCESSOR shall carefully select sub-processors and ensure that they provide sufficient guarantees to implement appropriate technical and organizational measures.

The PROCESSOR shall ensure that sub-processors are bound by written contracts imposing the same data protection obligations as set out in this DPA, in particular with respect to security and confidentiality. The PROCESSOR shall remain fully liable for the performance of sub-processors.

Upon request, the PROCESSOR shall provide the CONTROLLER with the main data protection terms agreed with the sub-processor.

The PROCESSOR shall exercise towards its sub-processors the same audit and control rights that the CONTROLLER has towards the PROCESSOR under this DPA. The PROCESSOR shall monitor its sub-processors' compliance on a regular basis and provide relevant evidence to the CONTROLLER upon request. Upon the CONTROLLER's request, the PROCESSOR shall provide copies of such audit documentation or other relevant evidence. The CONTROLLER's audit rights under Clause 9 remain unaffected and may also be exercised in relation to sub-processors through the PROCESSOR.

Insofar as the involvement of a sub-processor involves the transfer of data to third countries, this transfer is covered by the authorization pursuant to Clause 7.1 and requires appropriate safeguards in accordance with Art. 44 et seq. GDPR. The PROCESSOR shall ensure that appropriate safeguards (e.g., standard contractual clauses, adequacy decision of the EU Commission) are implemented for international data transfers and shall provide evidence of this upon request.

8. Audit Rights

Audits shall primarily be conducted remotely, and may include the review of existing certifications, audit reports, or equivalent documentation. On-site audits shall be permitted only where remote audits do not provide sufficient assurance or in case of a justified suspicion of non-compliance.

Audits may be carried out no more than once per year, unless required by a supervisory authority or justified by a specific incident.

The PROCESSOR shall make available to the CONTROLLER all information reasonably necessary to demonstrate compliance with this Agreement and Art. 28 GDPR.

The CONTROLLER may request relevant information from the PROCESSOR's data protection officer or another qualified privacy contact regarding data protection compliance and technical and organizational measures.

The CONTROLLER may engage third parties to exercise audit rights. The PROCESSOR must tolerate and support the actions of such a third party in the same way as actions by the CONTROLLER. Audits shall be carried out during regular business hours, upon reasonable notice, and in a manner that does not unreasonably disrupt the PROCESSOR's operations.

9. Data Secrecy

The PROCESSOR is under the obligation to protect data secrecy when PROCESSING DATA for the CONTROLLER.

The PROCESSOR shall ensure that all personnel authorized to process PERSONAL DATA are subject to appropriate confidentiality obligations and receive adequate data protection training.

10. Technical and Organizational Measures

The PROCESSOR shall implement technical and organizational measures necessary to ensure compliance with the applicable data protection law.

Since technical and organizational measures are subject to technological developments, the PROCESSOR shall be entitled to modifying the technical and organizational measures provided such modification does not decrease the level of data protection and data security beneath what is required by law and under this DPA.

Upon request, the PROCESSOR shall provide documentation demonstrating that appropriate technical and organizational measures are in place and kept up to date.

The PROCESSOR shall immediately inform the CONTROLLER in writing, without request, of any significant changes in the technical and organizational measures.

11. Term

This DPA automatically terminates upon expiration or termination of the AGREEMENT.

12. Destruction, Deletion and Return of Data

Upon termination of this DPA, the PROCESSOR is prohibited from collecting or using the CONTROLLER's DATA. Further storage of DATA collected during the term of the DPA is only permitted to the extent necessary for the purpose of deletion, destruction or return to the CONTROLLER.

Unless instructed otherwise, the PROCESSOR shall irretrievably delete or destroy PERSONAL DATA using industry-standard secure deletion methods (e.g., DIN 66399, NIST SP 800-88, or comparable).

The PROCESSOR shall inform the CONTROLLER prior to permanent deletion of PERSONAL DATA, unless otherwise instructed. The PROCESSOR shall document deletion or destruction and provide such documentation to the CONTROLLER upon request. Statutory retention obligations remain unaffected.

Appendix 1: Data Subjects and Data Categories

This Appendix describes the scope of the PERSONAL DATA PROCESSING carried out by the PROCESSOR on behalf of the CONTROLLER under this DPA.

1. Purpose of Processing

The PROCESSOR processes PERSONAL DATA solely for the purpose of performing, administering, and operating the SOFTWARE as defined in the AGREEMENT.

2. Categories of Data Subjects

The PROCESSING may concern the following categories of DATA SUBJECTS:

  • End users of the CONTROLLER who interact with the SOFTWARE (e.g., customers, clients, or website visitors);
  • Employees, contractors, or other representatives of the CONTROLLER who use or administer the SOFTWARE;
  • Employees or contractors of the PROCESSOR with authorized access, limited to what is necessary for operation, support, or maintenance;
  • Other individuals whose PERSONAL DATA are submitted to the PROCESSOR by or on behalf of the CONTROLLER through the SOFTWARE.

3. Categories of Personal Data

The PROCESSING may include the following categories of PERSONAL DATA:

  • User master data – e.g. name, account details, contact details
  • Content data – e.g. text entries, uploaded files, prompts, outputs
  • Usage data – e.g. logs of interactions, timestamps, frequency of use
  • Technical data – e.g. IP address, device type, browser information
  • Payment data – e.g. billing details, transaction IDs (if applicable)

4. Special Categories of Data

The PROCESSING of special categories of PERSONAL DATA within the meaning of Art. 9 GDPR (e.g. health, biometric, or other sensitive data) may occur only where such DATA are lawfully collected and provided by the CONTROLLER and where the CONTROLLER has instructed the PROCESSOR to process such DATA.

In such cases, the PROCESSOR shall implement appropriate technical and organizational measures to ensure a level of protection corresponding to the sensitivity of the DATA.

5. Nature and Purpose of Processing Activities

The PROCESSING includes, as necessary for the provision of the contracted SOFTWARE and related platform services, the collection, storage, transmission, and limited use of PERSONAL DATA, as well as related activities required for support, maintenance, and compliance with legal obligations. All PROCESSING is strictly limited to what is necessary for the operation and provision of the SOFTWARE and the underlying infrastructure as described in the AGREEMENT.

6. Duration of Processing

PERSONAL DATA shall be processed for the duration of the AGREEMENT, and shall be deleted or returned in accordance with Clause 12 of this DPA upon termination, unless longer retention is required by applicable law or agreed in writing by the Parties.

Appendix 2: Sub-Processors

The PROCESSOR shall keep this list up to date and notify the CONTROLLER in writing at least thirty (30) days in advance of any intended addition or replacement of sub-processors, thereby allowing the CONTROLLER to object in accordance with Clause 7.7 of this DPA.

Anthropic, PBC
Registered Address: 548 Market St, PMB 90375, San Francisco, CA 94104, USA
Legal Transfer Safeguard: Transfer based on Standard Contractual Clauses (SCC)

Exa AI, Inc.
Registered Address: 430 Shotwell St, San Francisco, CA 94110, USA
Legal Transfer Safeguard: Transfer based on Standard Contractual Clauses (SCC)

Appendix 3: Technical and Organizational Measures (TOMs)

This Appendix describes the technical and organizational measures implemented by the PROCESSOR for the agentic services provided under this DPA, pursuant to Art. 32 GDPR. It supplements the obligations in the main DPA; procedural obligations governed there (breach notification, sub-processor management, data deletion) are not repeated here.

Processing Overview

The agentic services process data through the following chain: the agent retrieves data from third-party APIs (e.g., DataForSEO, Apify, GWI, Statista), sends it to the Anthropic Claude API for LLM-based analysis, and delivers structured results to the CONTROLLER. The agent services are hosted on a managed runtime environment and delivered via a secure marketplace platform.

Anthropic (Claude API)

  • Role: LLM processing
  • Key Security Facts: SOC 2 Type II, ISO 27001, ISO 42001. AES-256 at rest, TLS 1.2+ in transit. 7-day retention (ZDR available). No training on customer data.

Third-party data APIs

  • Role: Data retrieval
  • Key Security Facts: Licensed providers under separate DPAs. Data transmitted over TLS-encrypted connections only.

1. Access Control and User Management

Authentication
MFA for production access. API keys for service-to-service communication, stored in encrypted environment variables.

Authorization
Role-based access control with least-privilege principle. Agent components operate with minimal required permissions.

Access lifecycle
Quarterly access reviews. Immediate deprovisioning on role change or departure.

2. Physical and Environmental Security

All processing takes place on cloud infrastructure operated by certified providers (ISO 27001 / SOC 2). The PROCESSOR does not operate own data centers. Physical security of sub-processor infrastructure (Anthropic, data API providers) is governed by their respective certifications and DPAs.

3. Encryption and Pseudonymisation

In transit
TLS 1.2+ for all communications between agent components and external APIs.

At rest
AES-256 encryption on cloud storage. Anthropic encrypts all data at rest with AES-256.

Pseudonymisation
User input queries are pseudonymised through a two-layer architecture:

Layer 1 — Kodosumi Infrastructure (by Architecture)
The agent processing layer (Kodosumi/Ray cluster) stores only a technical session ID (user_id); no name, email address, or other directly identifying information is present at this layer. The mapping between user_id and the natural person is held exclusively by the Sokosumi platform and never flows into the agent infrastructure. As a result, input queries stored in the Kodosumi execution database are already pseudonymised at rest — they cannot be attributed to a specific individual without access to the Sokosumi user registry.

Layer 2 — Anthropic Claude API (Zero Data Retention)
Query content transmitted to the Anthropic Claude API is processed under Zero Data Retention (ZDR) terms. Anthropic does not persist query data beyond the duration of the API call and does not use it for model training. The query is effectively discarded after the response is returned.

Retention and Deletion
Execution records including input queries stored in the Kodosumi runtime database are automatically deleted after 6 months. This retention period reflects the minimum operationally required for support and auditability purposes. In the event that a query incidentally contains personal data of a natural person (e.g., a name included in a research request), this data is subject to the same 6-month retention limit and is not accessible outside the Kodosumi execution environment.

4. System and Network Security

Network isolation
Production systems deployed in isolated network segments. Traffic restricted to necessary ports and endpoints.

Vulnerability management
Regular patching of dependencies. Code review before deployment.

Monitoring
Centralised logging of agent executions. Anomaly alerting on error rates and unexpected behavior.

5. Incident Response and Business Continuity

Breach notification procedures and timelines are governed by Section 5 of the DPA.

Incident response
Documented incident response plan with defined roles and escalation paths. Post-incident root cause analysis.

Availability
Automatic scaling and failover capabilities of the hosting environment. Regular backups of persistent storage with tested recoverability. Execution data in the agent runtime is transient and subject to the standard retention cycle described in Section 3.

6. Data Protection by Design and by Default

Data minimisation
Agents request only the data needed for the specific task. Prompt engineering prohibits unnecessary collection of personal data.

Privacy by default
Shortest available sub-processor retention periods selected. Results delivered only to authorised recipients.

Output quality
Anti-hallucination validation against source data. Structured outputs with source attribution.

7. Personnel Measures

Confidentiality obligations are governed by Section 8 of the DPA. In addition, developers receive training on privacy-by-design for LLM-based systems, including prompt engineering for data minimisation and anti-hallucination techniques.

8. Review and Evaluation

These TOMs are reviewed at least annually and updated as needed. Material changes are notified to the CONTROLLER in advance.

Last reviewed: February 23, 2026