Effective Date: February 2026

Data Processing Agreement (DPA) / AVV

Data Processing Agreement (DPA)

in accordance with Art. 28 GDPR

Preamble

This Data Processing Agreement ("DPA") is an appendix and integral part of the main contract (Terms of Service / User Agreement) concluded between the Customer ("Controller") and the Provider ("Processor") by digital consent (click-wrap).

§ 1 Subject and Duration of the Agreement

  • Subject: The Processor provides Software-as-a-Service (SaaS) services to the Controller. In doing so, it processes personal data on behalf of and under the instructions of the Controller.
  • Duration: The term of this DPA is governed by the term of the main contract. It ends automatically upon termination of the main contract, unless there are statutory retention obligations.

§ 2 Type and Purpose of Processing, Type of Data

  • Type and Purpose: The processing includes the collection, recording, organization, storage, alteration, and use of data to provide the SaaS software, hosting, database management, sending transactional emails, and technical support.
  • Type of Data:
    • Master data (names, email addresses, account information)
    • Communication data (support requests, metadata)
    • Content data (texts, files, or inputs uploaded or entered into the software by the Controller)
    • Log data (log files, access data)
  • Categories of Data Subjects:
    • Employees of the Controller
    • Customers/end users of the Controller (insofar as their data is entered into the software)

§ 3 Obligations of the Processor

The Processor undertakes to:

  1. Process data exclusively within the framework of the agreements made and according to the Controller's documented instructions, unless required to do so by Union or Member State law.
  2. Ensure that persons authorized to process the personal data (employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Take all measures required pursuant to Article 32 GDPR for the security of processing (see Appendix 2: Technical and Organizational Measures – TOMs).
  4. Provide reasonable assistance to the Controller, taking into account the nature of processing and the information available to the Processor, in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (data security, notification of breaches, data protection impact assessments).
  5. Following the conclusion of the processing services, either delete or return all personal data at the choice of the Controller, unless Union or Member State law requires storage of the personal data.

§ 4 Location of Processing

Data processing takes place generally within the European Union (EU) or the European Economic Area (EEA). Transfer to a third country may only take place if the special conditions of Art. 44 et seq. GDPR are met (e.g., adequacy decision by the Commission, EU Standard Contractual Clauses, or equivalent safeguards such as the Data Privacy Framework).

§ 5 Subcontractors (Sub-Processors)

  1. The Controller grants the Processor general authorization to engage further processors (subcontractors).
  2. The subcontractors used at the time the contract is concluded are listed in Appendix 1 and are deemed approved.
  3. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of subcontractors (e.g., via email or in-app notification). The Controller may object to such changes in writing or text form within 14 days. If no objection is made, the change is deemed approved.
  4. The Processor shall ensure that contractual agreements are made with all subcontractors guaranteeing a level of protection corresponding to this DPA.

§ 6 Control Rights of the Controller

  1. The Controller has the right to verify compliance with the obligations under this agreement.
  2. Since the Processor uses cloud infrastructure providers (hyperscalers), the right of control is generally exercised through the presentation of suitable evidence (e.g., current certificates, reports from independent bodies such as SOC 2, ISO 27001 certificates, or data protection audits). On-site inspections in the data centers are generally excluded or only possible within the framework of the provisions of the sub-providers.

§ 7 Liability

Liability for compensation for damage suffered by a data subject due to unlawful or incorrect data processing by the Controller and Processor is governed by the provisions of Article 82 GDPR.

Appendix 1 to the DPA: List of Subcontractors (Sub-Processors)

The Customer consents to the commissioning of the following service providers:

Service ProviderService / FunctionCompany HeadquartersStorage Location / Server Location
Google Cloud Platform (Google Ireland Ltd.)Hosting, infrastructure, databasesIreland (EU)Frankfurt / EU Regions (Primary)
Vercel Inc.Frontend hosting, Edge NetworkUSAGlobal CDN / Serverless Functions (Deployment Region: Frankfurt/EU)
Supabase Inc.Backend-as-a-Service, DatabaseUSAFrankfurt (AWS Region eu-central-1)
Railway Corp.Application HostingUSAEU Region
UnosendTransactional emailsGlobalEU Servers
Stripe Payments Europe Ltd.Payment processingIreland (EU)Global / EU

Note: Insofar as US service providers (Vercel, Supabase, Railway) are used, data transfer is based on the EU-U.S. Data Privacy Framework (if certified) or on the EU Standard Contractual Clauses (SCCs).

Appendix 2 to the DPA: Technical and Organizational Measures (TOMs)

pursuant to Art. 32 GDPR

Preliminary Note:

The Processor ("Provider") does not operate its own physical server infrastructure. The software is operated as a cloud solution (SaaS) on systems of certified sub-service providers (including Google Cloud, Vercel, Supabase). The following measures are therefore divided into measures implemented by the Provider itself within its organization and those guaranteed by the selection of certified hosts.

1. Confidentiality (Art. 32(1)(b) GDPR)

a) Physical Access Control
  • No own data centers: The Provider does not maintain its own server rooms.
  • Data centers of sub-service providers: Physical security is ensured by the cloud providers used (Google Cloud Platform, Supabase, Vercel). They have industry-standard certifications (ISO 27001, SOC 2 Type II) and secure the buildings using access control systems, security personnel, video surveillance, and biometric procedures.
  • Business premises of the Provider: Access to the offices is strictly restricted to authorized persons (locking system).
b) System Access Control
  • Password Policies: Use of secure passwords (minimum length, complexity) for all administrative logins.
  • Two-Factor Authentication (2FA): Access to critical infrastructure (Google/Vercel/Supabase cloud consoles, Stripe dashboard, Git repository) is strictly protected by 2FA (app or hardware key).
  • Encryption: Data transmission is exclusively encrypted (HTTPS/TLS 1.2 or higher). SSH access is only possible via key files (no passwords).
c) Internal Access Control
  • Need-to-Know Principle: Employees only receive access to the data they absolutely need to perform their duties.
  • Role Concept: Administrative rights are restricted to a minimal group of people.
  • Separation Control: Data from different customers is processed logically separated (multi-tenancy of the SaaS architecture). In the database, "Row Level Security" (RLS) ensures that users can only access their own records.

2. Integrity (Art. 32(1)(b) GDPR)

a) Transfer Control
  • Encryption in Transit: Personal data is protected during transmission over public networks by encryption protocols (SSL/TLS).
  • No Unauthorized Disclosure: Data is not copied to private storage media (USB sticks).
b) Input Control
  • Logging: System activities (especially logins, failed login attempts, deployments) are logged.
  • Version Control: Changes to the software source code are comprehensibly documented via a versioning system (Git). Every change is assignable to a developer.

3. Availability and Resilience (Art. 32(1)(b) and (c) GDPR)

a) Availability Control
  • Backups: Daily automated backups of the databases (Point-in-Time Recovery via Supabase/Google Cloud).
  • Redundancy: Data is stored in highly available cloud environments.
  • Emergency Plan: A process exists for restoring data from backups in the event of data loss.
b) Resilience of Systems
  • Scalability: The cloud infrastructure used (Serverless/Auto-Scaling) automatically adapts to load peaks to avoid failures due to overload.
  • DDoS Protection: Utilization of protective measures by cloud providers against Denial-of-Service attacks.

4. Procedures for Regular Testing (Art. 32(1)(d) GDPR)

  • Data Protection Management: Regular review of the sub-processors used for compliance with data protection standards.
  • Security Updates: Regular installation of security updates for utilized software libraries (Dependency Audits).
  • Incident Management: Process for immediate reporting of data protection breaches to the supervisory authority and those affected according to Art. 33/34 GDPR.