Data Processing Agreement (DPA)

pursuant to Art. 28 GDPR · Last updated: 2026-06-16

This is a convenience translation. The legally binding version is the German original.

between

Orangize Digital
Brüderstraße 11
32547 Bad Oeynhausen, Germany
– hereinafter "Processor" –

and

the respective Customer who uses the SaaS application dVersum – hereinafter "Controller" –

This DPA enters into force upon acceptance of the Terms of Service and use of the application. A separately signed version is available on request; a PDF export of this page can be provided.

§ 1 Subject Matter and Duration of Processing

(1) The subject of this agreement is the processing of personal data by the Processor in the context of providing the SaaS application dVersum.

(2) Processing takes place exclusively to deliver the contractually agreed services and on the documented instructions of the Controller.

(3) The term corresponds to the duration of the SaaS usage agreement. After termination, this DPA continues to apply for as long as personal data of the Controller remains with the Processor.

§ 2 Nature, Scope, and Purpose of Processing

Processing includes, in particular:

  • Storage and management of customer, supplier, and contact data
  • Creation, sending, and archiving of quotes, invoices, credit notes, reminders, and contracts
  • Capture of project, task, time, and calendar data
  • AI-assisted processing of user inputs (AI assistant Vero, content generation)
  • Hosting, backup, versioning, audit logging, and IT security
  • Support and ticket handling
  • Sending of transactional emails (confirmations, reminders, notifications)
  • Processing of payment and bank data for SEPA direct debit (pain.008)

The purpose is the technical provision of the application and related ancillary services.

§ 3 Types of Data and Categories of Data Subjects

Types of data processed:

  • Master data (name, address, contact details, VAT ID)
  • Billing, payment, and bank data (IBAN, BIC, SEPA mandates)
  • Tax-relevant data (receipts, bookings, DATEV exports)
  • Project, task, and time-tracking data
  • Communication data (emails, tickets, comments, AI chat transcripts)
  • Technical data (IP address, user agent, audit logs)
  • Authentication data (bcrypt password hashes, TOTP secrets, JWT tokens)

Categories of data subjects:

  • Employees and additional users of the Controller
  • Customers, suppliers, and business partners of the Controller
  • Prospects and other contacts of the Controller

§ 4 Location of Processing and Third-Country Transfers

(1) Processing primarily takes place in Germany (Hetzner data centers in Falkenstein and Nuremberg). Processing in other EU/EEA member states is permitted.

(2) Transfers to third countries (in particular the USA) occur only where § 8 explicitly identifies the sub-processor concerned. In such cases the transfer is safeguarded by EU Standard Contractual Clauses (Art. 46 GDPR) and, where available, by the sub-processor's certification under the EU-US Data Privacy Framework.

§ 5 Instructions of the Controller

(1) The Processor processes personal data exclusively on documented instructions of the Controller, unless required to process by Union or member-state law to which it is subject.

(2) General instructions are issued through the intended use of the application (settings, configuration, permission system). Deviating or additional instructions must be issued in text form to datenschutz@dversum.com.

(3) If the Processor considers an instruction unlawful, it informs the Controller without delay. Pending clarification, the Processor is entitled to suspend execution of the instruction.

§ 6 Confidentiality and Obligations of Personnel

(1) The Processor preserves data secrecy. This obligation continues after termination of this agreement.

(2) All persons involved in the processing are bound to confidentiality in writing before taking up their work and receive data-protection training at least once a year.

(3) Access to a Controller's data by internal support staff requires explicit approval by an administrator of the Controller through the built-in access-request system. Approvals are time-limited (max. 10 days) and fully logged.

§ 7 Technical and Organizational Measures (TOMs)

The Processor implements the following measures pursuant to Art. 32 GDPR. Material changes are coordinated with the Controller in text form.

7.1 Physical and access control

  • Servers in Hetzner data centers with ISO 27001 certification, access control, video surveillance, and 24/7 security
  • Personal accounts for each employee; no shared accounts
  • TOTP-based two-factor authentication for administrator and staff accounts
  • Passwords stored exclusively as bcrypt hashes; minimum length 8 characters
  • Automatic session timeouts and re-authentication

7.2 Access and permission control

  • Role-based permission system (Admin / Member / Staff) per organization
  • Multi-tenant data separation via organization_id on all relevant tables
  • Database access exclusively server-side; no direct access from the browser
  • Audit logging of all security-relevant actions (login, role changes, data export, DPA access)

7.3 Encryption

  • TLS 1.2+ for all communication between browser and server
  • AES-256-GCM encryption for sensitive data at rest (user API keys, SEPA creditor ID, IBAN)
  • bcrypt for password hashes
  • Encrypted backups and replicas

7.4 Availability and recoverability

  • Daily, automated backups of the production database
  • Recovery from backups of the last 14 days guaranteed
  • Security-relevant updates applied within 7 days, critical updates (CVSS ≥ 9.0) within 48 hours
  • Redundant storage media at the hosting sub-processor
  • Regular recovery tests, documented

7.5 Input, transfer, and contract control

  • Inputs, changes, and deletions are traceable via audit log (user, time, action)
  • Data exports (CSV, DATEV) accessible only to authenticated and authorized users
  • Engagement of further sub-processors only in accordance with § 8

7.6 Privacy by default

  • Default settings are data-minimising (no public profiles, no marketing cookies without consent)
  • External trackers (statistics, marketing) are activated only after explicit consent via the cookie banner
  • AI features never use Controller data to train the underlying models (BYOK + system fallback)

7.7 Regular review

  • At least annual review of the TOMs by management and IT lead; adjustments are documented
  • Ad-hoc review after security-relevant incidents or material changes to the application

§ 8 Sub-processors

(1) The Controller consents to the use of the sub-processors listed below. The Processor contractually ensures that each sub-processor is bound by equivalent obligations to those set out in this DPA.

(2) Where the Processor intends to engage or replace a sub-processor, it notifies the Controller at least 4 weeks in advance in text form (email to the registered admin address is sufficient). The Controller may object on substantive data-protection grounds within 2 weeks of receipt. A justified objection grants both parties an extraordinary right to terminate the main contract; otherwise consent is deemed given.

(3) Current list of sub-processors:

ServiceSub-processorLocationSafeguards
Hosting, database, backupHetzner Online GmbHGermany (Falkenstein, Nuremberg)DPA under Art. 28 GDPR · ISO 27001
Transactional email deliveryResend, Inc.USASCCs under Art. 46 GDPR · EU-US Data Privacy Framework
Payment processing (platform)Stripe Payments Europe Ltd.IrelandDPA under Art. 28 GDPR · SCCs for any third-country components
AI inference (system fallback)OpenAI Ireland Ltd.Ireland / USASCCs under Art. 46 GDPR · EU-US Data Privacy Framework · Zero-retention API option
AI inference (system fallback)Anthropic PBCUSASCCs under Art. 46 GDPR · EU-US Data Privacy Framework · no training use
OAuth + Calendar (optional, per user)Google Ireland Ltd.Ireland / USASCCs under Art. 46 GDPR · EU-US Data Privacy Framework
Telegram bot (optional, per user)Telegram Messenger Inc.UK / UAESCCs under Art. 46 GDPR; activated only when explicitly paired by the user

Third-party tools that the Controller connects via integrations (e.g., Lexware, easybill, DATEV, ClickUp, awork) are not sub-processors of the Processor; the Controller enters into its own agreements with these providers where required.

§ 9 Rights of Data Subjects

(1) The Processor supports the Controller with appropriate technical and organisational means in fulfilling data-subject rights, in particular requests for access, rectification, erasure, restriction, and portability.

(2) Where a data subject or a supervisory authority contacts the Processor directly, the Processor informs the Controller without delay and coordinates further steps with them.

(3) Primary responsibility for responding to data-subject requests remains with the Controller.

§ 10 Personal Data Breaches and Notification Duties

(1) The Processor notifies the Controller without undue delay, and at the latest within 48 hours of becoming aware, of any breach of the protection of personal data within the meaning of Art. 33 GDPR that concerns the Controller's data.

(2) The notification includes, where known: the nature of the incident, categories and number of affected data subjects, likely consequences, measures taken or planned, and a point of contact.

(3) Where the Controller's data is endangered by garnishment, seizure, insolvency, or other third-party action, the Processor informs the Controller without delay and points out to the acting bodies that data ownership rests with the Controller.

§ 11 Deletion and Return of Data

(1) Upon termination of the main contract, all of the Controller's personal data is, upon request, first exported in a structured, commonly used and machine-readable format (CSV / JSON).

(2) The Processor then irreversibly deletes all data from production systems within 30 days. Backups are automatically overwritten in regular rotation; full removal from backups is completed within a maximum of 14 further days.

(3) Statutory retention obligations (in particular under §§ 147 AO, 257 HGB) remain unaffected. For the duration of statutory retention, processing is restricted to the legally required minimum.

(4) Deletion is confirmed in text form on request.

§ 12 Audit Rights of the Controller

(1) The Controller may at any time verify compliance with this agreement. The Processor provides suitable evidence on request — in particular certificates of its sub-processors, excerpts from this DPA, audit reports, and an up-to-date list of sub-processors.

(2) Where such evidence is not sufficient, the Controller may request an on-site inspection with at least 30 days advance notice. Routine inspections without specific cause are limited to one per calendar year; the right to additional inspections in case of justified cause (e.g., a data breach) remains unaffected.

(3) Inspections are conducted in a manner that does not disproportionately disrupt the Processor's operations. Costs and effort on the Processor's side that exceed the necessary minimum are borne by the Controller.

§ 13 Data Protection Officer and Recipients of Instructions

Point of contact for data-protection matters at the Processor:
Naumche Joshevski, Orangize Digital
datenschutz@dversum.com

External data-protection counsel is engaged as needed; a formally appointed external Data Protection Officer will be named in this list as soon as the statutory thresholds (§ 38 BDSG) are reached.

§ 14 Term and Termination

(1) This DPA runs for as long as the main contract (SaaS usage agreement) between the parties exists. Either party may terminate it separately with 3 months' notice to month-end, unless such termination would also terminate the main contract.

(2) The Controller may terminate this agreement with immediate effect if the Processor seriously breaches the provisions of this agreement or data-protection law and fails to remedy the breach within a reasonable period.

§ 15 Final Provisions

(1) German law applies.

(2) The exclusive place of jurisdiction for disputes arising from this agreement is — to the extent legally permissible — the registered office of the Processor.

(3) Amendments and supplements require text form. This also applies to the cancellation of this form requirement.

(4) Upon taking effect, this DPA supersedes all earlier agreements between the parties on processing of personal data on behalf.

(5) Should any provision of this agreement be or become invalid, this does not affect the validity of the remaining provisions. The invalid provision shall be replaced by the legally permissible regulation that comes closest to the economic purpose of the invalid provision.

Last updated: 2026-06-16 · Material changes are communicated to the Controller in text form.