Galactify Data Processing Agreement (DPA)

Effective as of March 24, 2026

At Galactify, we take the protection of our customers’ data seriously.This Data Processing Agreement (DPA) outlines how Galactify GmbH processes personal data on behalf of its customers in accordance with the EU General Data Protection Regulation (GDPR).
It forms part of our Terms of Service and applies automatically to all users of the Galactify browser-based workspace. No separate signature is required.

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between Galactify GmbH, [Georg-Brauchle-Ring 50, c/o wayra, 80992 Munich, Germany] (“Processor” or “Galactify”), and the customer (“Controller” or “Customer”) who uses the Galactify browser-based workspace.

By using the Service or entering into the Agreement, the Customer agrees that this DPA automatically applies to the extent Galactify processes personal data on behalf of the Customer in providing the Service. No separate signature is required.

1. Subject Matter and Duration

This DPA governs the processing of personal data by Galactify on behalf of the Customer within the Galactify browser-based workspace. Processing begins upon the Customer’s use of the Service and continues until all personal data are deleted or returned in accordance with this DPA.

2. Nature and Purpose of Processing

Galactify processes personal data as necessary to operate its browser-based productivity platform, which allows teams to manage projects, create diagrams, capture ideas, and organize knowledge collaboratively. Processing includes storage, transmission, organization, and display of Customer data to authorized users.

3. Types of Data and Categories of Data Subjects

Personal Data:
User account details (name, email address, credentials)
Workspace content and metadata (project titles, tasks, notes, diagrams)
Technical data (usage logs, browser type, IP address)
Data Subjects:
Users authorized by the Customer (employees, contractors, collaborators)

4. Roles and Responsibilities

The Customer acts as Controller and determines the purposes and means of processing.
Galactify acts as Processor and processes personal data solely on the Controller’s documented instructions, as set forth in this DPA and the Agreement.
Each party ensures compliance with applicable data-protection laws.

5. Processor Obligations

Galactify shall:

1. Process personal data only on documented instructions from the Customer.

2. Ensure confidentiality of personnel with access to personal data.

3. Implement technical and organizational measures in accordance with GDPR Art. 32 and ISO 27001 controls (e.g., encryption, access control, backup).

4. Assist the Customer in responding to data-subject requests.

5. Notify the Customer without undue delay upon becoming aware of a personal-data breach.

6. Delete or return all personal data at the end of service provision unless legal retention duties apply.

7. Make information available to demonstrate compliance and cooperate with supervisory authorities.

6. Sub-Processors

To provide and maintain the Service, Galactify engages the following sub-processors that may have access to or process personal data on behalf of the Customer. Personal data is stored and processed within the geographical region selected by Galactify – currently Frankfurt, Germany (EU), unless otherwise required for redundancy or backup purposes within the European Economic Area.

The following sub-processors support the delivery of the Service:

Google Cloud Platform (Google Ireland Ltd.) provides the cloud infrastructure, hosting, and storage environment for the Galactify app within the Frankfurt (Germany) region, and delivers AI-related processing services (such as text generation or diagram creation features) as part of Galactify’s intelligent functionality. For the avoidance of doubt, Galactify configures Google Cloud AI services so that Customer Data processed via these AI features is excluded from model training and is not retained by Google for model improvement. Google is contractually prohibited from using Customer Data for model training without explicit opt-in; Galactify does not provide such opt-in. All processing is performed within Google’s EU data centers under the EU Data Processing and Security Terms and subject to the EU Standard Contractual Clauses where applicable.

MongoDB Atlas (MongoDB Ltd.) provides managed database hosting and backup services, with primary data storage in Frankfurt (Germany).

Brevo (Sendinblue GmbH) provides transactional email delivery for system notifications and account-related messages, with processing located in Germany.

MontiAPM provides application monitoring, performance tracking, and error-diagnostic services; processing is limited to technical metadata such as request logs and performance metrics within the EU region.

PostHog (PostHog, Inc.) provides product analytics and feature flag services to support in-app usage analysis and product improvement. Processing is limited to behavioral and technical data such as user interactions and feature usage events. While PostHog, Inc. is a US-incorporated entity, all Customer Data is processed exclusively within EU data centers under PostHog's EU Cloud infrastructure. Some data may be transferred to the US under the EU-U.S. Data Privacy Framework or Standard Contractual Clauses. PostHog is contractually prohibited from using Customer Data for any purpose other than providing the analytics service to Galactify.

Stripe (Stripe Technology Company Ltd. / Stripe, LLC) provides payment processing, subscription management, and fraud prevention services. While Stripe acts as an independent controller for some financial regulatory purposes, it acts as a subprocessor for Galactify regarding billing and account management. Data is processed primarily within the EU (Ireland), though some data may be transferred to the US under the EU-U.S. Data Privacy Framework or Standard Contractual Clauses.

Galactify ensures all sub-processors are bound by written agreements imposing data-protection obligations no less protective than those in this DPA. Customers will be notified of material changes to the list at least 30 days in advance.

7. International Data Transfers

If personal data are transferred outside the EEA, Galactify ensures appropriate safeguards, including the use of EU Standard Contractual Clauses or equivalent mechanisms under GDPR Chapter V.

8. Security Measures

Galactify maintains appropriate technical and organizational security measures, including but not limited to:

Encryption in transit and at rest

Role-based access control

Secure authentication and logging

Data backup and disaster recovery

Personnel awareness and confidentiality policies

A detailed description of these measures is available upon request.

9. Audit and Compliance

Upon written request, Galactify will provide the Customer with information necessary to demonstrate compliance with this DPA and applicable data protection laws. If such information is insufficient to reasonably verify compliance, the Customer may conduct an audit, which shall be limited in scope, frequency, and timing to minimize disruption to Galactify’s business operations. Audits may be conducted no more than once per year, subject to reasonable notice, confidentiality obligations, and cost-recovery provisions.

10. Term and Termination

This DPA remains in force for as long as Galactify processes personal data on behalf of the Customer. Upon termination, Galactify will delete or return Customer data in accordance with Section 5(6).

11. Miscellaneous

This DPA is governed by the laws of Germany, with jurisdiction in Munich.In the event of conflict between this DPA and the Agreement, this DPA shall prevail regarding data-protection matters.

Acceptance

By using the Galactify Service or otherwise agreeing to the Terms of Service, the Customer is deemed to have accepted this Data Processing Agreement.No physical or electronic signature is required for its validity.

Annex – Technical and Organizational Measures (summary)

Galactify implements appropriate technical and organizational measures to protect personal data in accordance with GDPR Article 32.These measures include, but are not limited to:

Logical access control and authentication

Encryption of data in transit and at rest

Physical and environmental security of cloud infrastructure

Secure operations, logging, and regular backups

Supplier and sub-processor management

Information-security incident management

Detailed information about specific measures may be provided to Customers upon written request under Section 9 (Audit and Compliance).

en
Follow us
Discover
HomeAbout usPricingBlogTrust Center
Subscribe to our newsletter.
Curious about new developments and updates? Sign up for our newsletter!
"Thank you! Please check your inbox for the confirmation email."
Oops! Something went wrong while submitting the form.
The newsletter can be canceled at any time. You can find more information in our privacy statement.
© 2026 Galactify GmbH - All rights reserved
TermsPrivacyDPACookiesImprint