Data Processing Agreement
How personal data is processed when you use the World Model Readiness diagnostic, and the Art. 28 GDPR terms that apply where we process data on your organisation's behalf.
1. Roles
For the assessment offered on this website, Thorsten Meyer (see Impressum) acts as an independent controller within the meaning of Art. 4(7) GDPR: we determine the purposes and means of processing described in our Privacy Policy (Datenschutz). Using the public assessment therefore does not, by itself, require a data processing agreement with your organisation.
Where your organisation separately commissions us to analyse or process data on its behalf (for example a private, organisation-wide readiness cohort), we act as a processor under Art. 28 GDPR, and the terms below apply.
2. Subject matter, duration, nature and purpose
Subject matter: processing of assessment responses and related contact data for the purpose of producing readiness diagnostics and aggregated analyses for the commissioning organisation. Duration: the term of the commissioned engagement. Nature and purpose: collection, storage, scoring, benchmarking, reporting, and deletion of the data listed in section 3.
3. Categories of data and data subjects
Data subjects: employees or officers of the commissioning organisation who complete the assessment. Categories of data: business email address, assessment scores, optional free-text answers, company size band, sector, technical metadata (truncated and hashed IP address, user agent). No special categories of data (Art. 9 GDPR) are requested or knowingly processed.
4. Obligations as processor
- We process personal data only on documented instructions of the controller (Art. 28(3)(a) GDPR).
- Persons authorised to process the data are committed to confidentiality (Art. 28(3)(b)).
- We implement the technical and organisational measures summarised in section 6 (Art. 32).
- We assist the controller in responding to data-subject requests and in complying with Art. 32–36 (Art. 28(3)(e)–(f)).
- At the controller's choice, we delete or return all personal data after the end of the engagement and delete existing copies unless Union or member-state law requires storage (Art. 28(3)(g)).
- We make available all information necessary to demonstrate compliance and allow for and contribute to audits (Art. 28(3)(h)).
5. Subprocessors
The controller grants general authorisation for the following subprocessors; we will inform the controller of intended changes and give the opportunity to object:
- ALL-INKL.COM – Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany — hosting and database operation (EU).
- Emailit — transactional email delivery (double opt-in confirmation and report delivery).
6. Technical and organisational measures (summary)
- Transport encryption (TLS) for the website, mail submission, and administrative access.
- IP addresses are truncated and hashed at intake; they are never stored in raw form.
- Respondent email addresses are set to
NULLafter double-opt-in confirmation; only an irreversible SHA-256 hash remains for deduplication. - Unconfirmed submissions are automatically discarded after 72 hours.
- Administrative endpoints fail closed and are protected by IP allowlisting and HTTP authentication.
- Hosting and data storage exclusively in Germany (EU); no transfer to third countries in the assessment flow.
7. Signed copy
Organisations requiring a countersigned agreement (including the full list of technical and organisational measures) can request one at readiness@thorstenmeyerai.com. The German-law version prevails in case of conflict.
Effective: 6 July 2026.