Data Processing Agreement (DPA)

This is a convenience translation. The legally binding version is the German original.

between

Orangize Digital
Brüderstraße 11
32547 Bad Oeynhausen, Germany
– hereinafter "Processor" –

and

the respective Customer – hereinafter "Controller" –

§ 1 Subject Matter and Duration of Processing

(1) The subject of this agreement is the processing of personal data by the Processor in the context of using the SaaS application dVersum.

(2) Processing is carried out exclusively to provide the contractually agreed services.

(3) The term corresponds to the duration of the SaaS usage agreement.

§ 2 Nature and Purpose of Processing

Processing includes in particular:

  • Storage and management of customer and contact data
  • Creation and management of invoices and quotes
  • Processing of supplier and financial data
  • Storage of calendar and time tracking data
  • AI-assisted processing of user inputs
  • Hosting, backup, and IT security
  • Support and ticket processing

The purpose is the technical provision of the software solution.

§ 3 Types of Data and Categories of Data Subjects

Types of data processed:

  • Master data (name, address, contact details)
  • Billing and payment data
  • Tax-relevant data
  • Time tracking data
  • Communication data
  • IP addresses and log data

Categories of data subjects:

  • Customers of the Controller
  • Suppliers
  • Employees
  • Business partners
  • Users of the software

§ 4 Right to Issue Instructions

(1) The Processor processes personal data exclusively based on documented instructions from the Controller.

(2) Instructions are issued through the use of the software features.

§ 5 Confidentiality

The Processor commits to:

  • Maintaining confidentiality
  • Obligating employees to maintain confidentiality
  • Implementing appropriate access restrictions

§ 6 Technical and Organizational Measures (TOMs)

The Processor implements appropriate measures in accordance with Art. 32 GDPR, in particular:

  • Hosting in Germany (Hetzner)
  • TLS encryption
  • Access controls
  • Role and permission system
  • Audit logging
  • Backup systems (Hetzner backup infrastructure)
  • Database access only server-side
  • Encrypted storage of sensitive credentials (e.g., API keys)
  • Tenant separation (multi-tenant architecture)

§ 7 Sub-processors

The Controller agrees to the use of the following sub-processors:

Hosting

Hetzner Online GmbH (Germany)

Payment processing

Stripe Payments Europe Ltd.

AI services

OpenAI, Anthropic

Integrations

Google (OAuth / Calendar), Telegram (when used)

Transfer to third countries (e.g., USA) may occur. This is done on the basis of Standard Contractual Clauses pursuant to Art. 46 GDPR.

§ 8 Rights of Data Subjects

(1) The Processor assists the Controller in fulfilling:

  • Access requests
  • Deletion requests
  • Rectification requests
  • Data portability

(2) The Controller remains primarily responsible for responding to such requests.

§ 9 Data Security and Notification Obligations

(1) The Processor informs the Controller without delay in the event of data breaches and security incidents.

(2) Notification is made without culpable delay.

§ 10 Deletion and Return of Data

(1) After termination of the contract, data will either be deleted or exported upon request.

(2) Statutory retention obligations remain unaffected.

§ 11 Audit Rights

(1) The Controller is entitled to conduct reasonable audits.

(2) Audits must not disproportionately disrupt business operations.

§ 12 Final Provisions

(1) German law applies.

(2) The place of jurisdiction is the registered office of the Processor.

(3) Amendments require text form.