← Back DE

Data Processing Agreement (DPA)

Pursuant to Art. 28 GDPR · Last updated: 11 July 2026

This DPA applies where Furnify3D processes personal data on behalf of a business customer (the "Controller") as a processor in the course of providing the Service. It forms part of, and is subject to, the Terms of Service. Where the customer acts as a consumer, no processor relationship arises and this DPA does not apply.

1. Definitions and roles

Terms such as "personal data", "processing", "controller", "processor", "data subject" and "supervisory authority" have the meaning given in the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). The Controller is the customer; Furnify3D GmbH is the processor. The Controller determines the purposes and means of the processing; Furnify3D processes personal data only on the Controller's documented instructions, including this DPA and the use of the Service.

2. Subject matter, duration, nature and purpose

The subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex 1. Processing lasts for the term of the underlying agreement and until deletion or return in accordance with clause 11.

3. Instructions

Furnify3D processes personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law; in such a case Furnify3D informs the Controller of that legal requirement before processing, unless the law prohibits it. Furnify3D informs the Controller without undue delay if it considers that an instruction infringes applicable data protection law.

4. Confidentiality

Furnify3D ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security of processing

Furnify3D implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. The measures are described in Annex 2 and may be updated to keep pace with technical developments, provided the level of protection is not reduced.

6. Subprocessors

The Controller grants general authorisation for Furnify3D to engage subprocessors. The current subprocessors are listed in Annex 3 (the public subprocessor list). Furnify3D informs the Controller of any intended addition or replacement of a subprocessor at least 30 days in advance, giving the Controller the opportunity to object on reasonable, data-protection-related grounds. Furnify3D imposes on each subprocessor, by contract, data protection obligations equivalent to those in this DPA.

7. International transfers

Transfers of personal data to a third country take place only in accordance with Chapter V GDPR. Where a subprocessor is located in a third country, the transfer is based on an adequacy decision or on appropriate safeguards (in particular the EU Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework), as set out in Annex 4.

8. Assistance with data subject rights

Taking into account the nature of the processing, Furnify3D assists the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III GDPR.

9. Personal data breaches

Furnify3D notifies the Controller without undue delay after becoming aware of a personal data breach and provides the information reasonably available to enable the Controller to meet its obligations under Art. 33 and 34 GDPR.

10. Data protection impact assessments

Furnify3D assists the Controller, taking into account the nature of processing and the information available to Furnify3D, in ensuring compliance with the obligations under Art. 32 to 36 GDPR (security, data protection impact assessment and prior consultation).

11. Deletion or return

At the choice of the Controller, Furnify3D deletes or returns all personal data after the end of the provision of the Service, and deletes existing copies, unless Union or Member State law requires storage of the personal data.

12. Audits

Furnify3D makes available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable prior notice, confidentiality and Furnify3D's security requirements. Furnify3D may first provide relevant certifications, reports or the documentation of its technical and organisational measures.

13. Liability

Liability under this DPA is governed by the liability provisions of the Terms of Service and by Art. 82 GDPR.

14. Order of precedence and governing law

In the event of conflict, this DPA prevails over the Terms of Service with respect to data protection. This DPA is governed by German law. This English version is the authoritative version; any translation is provided for convenience only.


Annex 1 — Description of the processing

Nature and purpose: provision of the Furnify3D SaaS platform (account management, search, configuration, optimisation, download and storage of 3D assets, subscription and billing management, support).

Categories of data subjects: the Controller's authorised users and administrators, and, where applicable, contact persons.

Types of personal data: account and login data (e.g. email address, name), usage and log data, upload/asset metadata, and — where applicable — support and billing data. The Controller must not upload special categories of personal data (Art. 9 GDPR) through the Service.

Duration: for the term of the agreement and until deletion or return under clause 11.

Annex 2 — Technical and organisational measures (TOMs)

Annex 3 — Subprocessors

The current subprocessors, their purpose, locations and transfer mechanisms are published and kept up to date at furnify3d.com/en/subprocessors, which forms part of this DPA.

Annex 4 — International data transfers

For subprocessors located in third countries (in particular the USA), transfers are based on the EU-U.S. Data Privacy Framework where the recipient is certified, and/or on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) as a fallback safeguard, supplemented by additional measures where required. The applicable mechanism per provider is indicated in the subprocessor list (Annex 3).

Furnify3D GmbH, Elisabethstraße 7, 99096 Erfurt, Germany · info@furnify3d.com · see Legal Notice.