Data Processing Agreement (DPA)

Pursuant to GDPR Article 28 | Version 1 | April 2026

This Data Processing Agreement ("DPA") sets out the terms under which PeerDesk, operated by Lennart Sieden & Stefan Bechtel GbR ("Processor", "PeerDesk"), processes personal data on behalf of each journal or publishing organization ("Controller") that uses the PeerDesk platform under the PeerDesk Journal Terms of Service.

By accepting the PeerDesk Journal Terms of Service, the Controller accepts this DPA as a binding agreement. This DPA supplements and forms an integral part of the Journal Terms of Service.

This page is the standard DPA template. Individual journals are bound to these terms upon acceptance of the Journal Terms of Service. For a countersigned PDF copy for your records, contact [E-Mail — JavaScript erforderlich].

§ 1 — Parties and Roles

Controller: The journal or publishing organization using PeerDesk, as identified in their PeerDesk account registration.

Processor: Lennart Sieden & Stefan Bechtel GbR (moreNetwork / PeerDesk), Heuspachstr. 79, 72644 Oberboihingen, Germany. Email: [E-Mail — JavaScript erforderlich]

§ 2 — Subject Matter, Nature, and Purpose of Processing

2.1 The Processor processes personal data on behalf of the Controller for the purpose of providing the PeerDesk editorial management platform, including: reviewer matching and invitation; peer review workflow management; COI declaration processing; editorial decision management; reviewer compensation processing; manuscript file storage; and platform-related communication.

2.2 Processing is carried out exclusively on documented instructions from the Controller (including the settings, workflows, and configurations the Controller applies within the platform). The Processor shall not process personal data for any other purpose, except where required by applicable law.

2.3 The processing relationship commences on the date the Controller accepts the Journal Terms of Service and continues until termination of those Terms.

§ 3 — Categories of Data Subjects and Personal Data

The personal data processed under this DPA relates to the following categories of data subjects:

  • Authors: Name, email address, institutional affiliation, ORCID iD, manuscript content and metadata, submission history, communication content
  • Peer Reviewers: Name, email address, institutional affiliation, ORCID iD, expertise profile, review content, editorial scores, availability status, compensation data
  • Editors: Name, email address, assignment history, decision records
  • Other journal personnel: Name, email address, role, access logs

§ 4 — Processor Obligations

4.1 Processing on Instructions Only

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4.2 Confidentiality

The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation continues after the end of the employment relationship.

4.3 Technical and Organizational Security Measures (Art. 32 GDPR)

The Processor implements and maintains the following security measures:

  • Encryption in transit: TLS 1.2+ for all data transmitted between clients and servers, and between internal services
  • Encryption at rest: AES-256 encryption for all stored data and backups
  • Access control: Role-based access control (RBAC) with the principle of least privilege; multi-factor authentication (MFA) for all privileged accounts
  • Audit logging: Comprehensive audit logs of all data access, modifications, and deletions, retained for 3 years
  • Network security: Firewall protection, intrusion detection, regular vulnerability scanning
  • Penetration testing: Annual third-party penetration test; findings remediated within 90 days for critical issues
  • Backup and recovery: Daily encrypted backups with tested restore procedures; recovery time objective (RTO) of 4 hours for critical systems
  • Incident response: Documented incident response plan with defined escalation procedures
  • Staff training: Annual data protection and security awareness training for all staff with data access

4.4 Sub-Processors

The Controller grants the Processor general authorization to engage sub-processors, subject to: (a) the sub-processors are listed in the Sub-Processor Register; (b) the Processor imposes equivalent data protection obligations on each sub-processor; (c) the Processor remains fully liable to the Controller for the sub-processor's performance; and (d) the Processor notifies the Controller at least 30 days before engaging a new sub-processor or making material changes to existing sub-processor relationships, giving the Controller the opportunity to object.

4.5 Assistance with Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under GDPR Chapter III (rights of access, rectification, erasure, restriction, portability, and objection) by making available the relevant technical tools and, upon request, providing information held by the Processor.

4.6 Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a personal data breach affecting data processed under this DPA. The notification shall include, to the extent available: (a) a description of the nature of the breach; (b) the categories and approximate number of data subjects and records concerned; (c) the likely consequences of the breach; and (d) measures taken or proposed to address the breach.

4.7 Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments (DPIAs) under GDPR Art. 35, where the processing operations would require such assessment.

§ 5 — Controller Rights

5.1 Audit Rights

The Controller has the right to conduct audits and inspections of the Processor's compliance with this DPA. Audits shall be: (a) conducted with at least 30 days' prior written notice; (b) limited to once per calendar year unless there is documented cause to believe a material breach has occurred; (c) conducted during normal business hours with minimal disruption to Processor operations; and (d) at the Controller's expense.

In lieu of on-site audits, the Processor may make available current SOC 2 Type II reports, ISO 27001 certificates, or equivalent third-party audit reports, which the Controller may rely upon.

5.2 Instructions

The Controller may issue documented instructions to the Processor regarding the processing of personal data. If the Processor believes an instruction infringes GDPR or other applicable data protection law, the Processor shall immediately inform the Controller. The Processor is not required to follow instructions that it reasonably believes are unlawful.

§ 6 — International Data Transfers

6.1 The Processor shall not transfer personal data outside the EEA unless: (a) the transfer is to a country with an adequacy decision under GDPR Art. 45; (b) appropriate safeguards are in place under GDPR Art. 46 (Standard Contractual Clauses or equivalent); or (c) an exception under GDPR Art. 49 applies.

6.2 Current non-EEA transfers and their safeguards are listed in the Sub-Processor Register. Stripe (US) and ORCID (US) transfers are covered by the EU-US Data Privacy Framework and/or SCCs as described therein.

§ 7 — Data Return and Deletion

7.1 Upon termination of the Journal Terms of Service, the Processor shall, at the Controller's choice, return all personal data to the Controller or delete it, and delete all copies, unless Union or Member State law requires retention.

7.2 The Controller has 30 days from the date of termination to request data export via the platform's standard export tools. After this window, all Controller data will be deleted.

7.3 The Processor shall provide written confirmation of deletion upon request.

7.4 Notwithstanding the above, the Processor shall retain data required by applicable law (e.g., reviewer compensation records retained for 10 years under German tax law).

§ 8 — Miscellaneous

8.1 This DPA is governed by the same law and subject to the same jurisdiction as the Journal Terms of Service (German law; Stuttgart courts).

8.2 If any provision of this DPA is invalid or unenforceable, the remainder remains in full force.

8.3 This DPA supersedes any prior data processing agreements or data protection addenda between the parties with respect to the subject matter hereof.

Version: 1 | Effective: April 2026 | Lennart Sieden & Stefan Bechtel GbR — moreNetwork / PeerDesk

For a countersigned PDF copy for your organization's records, contact [E-Mail — JavaScript erforderlich].