pursuant to Art. 28 GDPR · Last updated: 2026-06-16
This is a convenience translation. The legally binding version is the German original.
between
Orangize Digital
Brüderstraße 11
32547 Bad Oeynhausen, Germany
– hereinafter "Processor" –
and
the respective Customer who uses the SaaS application dVersum – hereinafter "Controller" –
This DPA enters into force upon acceptance of the Terms of Service and use of the application. A separately signed version is available on request; a PDF export of this page can be provided.
(1) The subject of this agreement is the processing of personal data by the Processor in the context of providing the SaaS application dVersum.
(2) Processing takes place exclusively to deliver the contractually agreed services and on the documented instructions of the Controller.
(3) The term corresponds to the duration of the SaaS usage agreement. After termination, this DPA continues to apply for as long as personal data of the Controller remains with the Processor.
Processing includes, in particular:
The purpose is the technical provision of the application and related ancillary services.
Types of data processed:
Categories of data subjects:
(1) Processing primarily takes place in Germany (Hetzner data centers in Falkenstein and Nuremberg). Processing in other EU/EEA member states is permitted.
(2) Transfers to third countries (in particular the USA) occur only where § 8 explicitly identifies the sub-processor concerned. In such cases the transfer is safeguarded by EU Standard Contractual Clauses (Art. 46 GDPR) and, where available, by the sub-processor's certification under the EU-US Data Privacy Framework.
(1) The Processor processes personal data exclusively on documented instructions of the Controller, unless required to process by Union or member-state law to which it is subject.
(2) General instructions are issued through the intended use of the application (settings, configuration, permission system). Deviating or additional instructions must be issued in text form to datenschutz@dversum.com.
(3) If the Processor considers an instruction unlawful, it informs the Controller without delay. Pending clarification, the Processor is entitled to suspend execution of the instruction.
(1) The Processor preserves data secrecy. This obligation continues after termination of this agreement.
(2) All persons involved in the processing are bound to confidentiality in writing before taking up their work and receive data-protection training at least once a year.
(3) Access to a Controller's data by internal support staff requires explicit approval by an administrator of the Controller through the built-in access-request system. Approvals are time-limited (max. 10 days) and fully logged.
The Processor implements the following measures pursuant to Art. 32 GDPR. Material changes are coordinated with the Controller in text form.
organization_id on all relevant tables(1) The Controller consents to the use of the sub-processors listed below. The Processor contractually ensures that each sub-processor is bound by equivalent obligations to those set out in this DPA.
(2) Where the Processor intends to engage or replace a sub-processor, it notifies the Controller at least 4 weeks in advance in text form (email to the registered admin address is sufficient). The Controller may object on substantive data-protection grounds within 2 weeks of receipt. A justified objection grants both parties an extraordinary right to terminate the main contract; otherwise consent is deemed given.
(3) Current list of sub-processors:
| Service | Sub-processor | Location | Safeguards |
|---|---|---|---|
| Hosting, database, backup | Hetzner Online GmbH | Germany (Falkenstein, Nuremberg) | DPA under Art. 28 GDPR · ISO 27001 |
| Transactional email delivery | Resend, Inc. | USA | SCCs under Art. 46 GDPR · EU-US Data Privacy Framework |
| Payment processing (platform) | Stripe Payments Europe Ltd. | Ireland | DPA under Art. 28 GDPR · SCCs for any third-country components |
| AI inference (system fallback) | OpenAI Ireland Ltd. | Ireland / USA | SCCs under Art. 46 GDPR · EU-US Data Privacy Framework · Zero-retention API option |
| AI inference (system fallback) | Anthropic PBC | USA | SCCs under Art. 46 GDPR · EU-US Data Privacy Framework · no training use |
| OAuth + Calendar (optional, per user) | Google Ireland Ltd. | Ireland / USA | SCCs under Art. 46 GDPR · EU-US Data Privacy Framework |
| Telegram bot (optional, per user) | Telegram Messenger Inc. | UK / UAE | SCCs under Art. 46 GDPR; activated only when explicitly paired by the user |
Third-party tools that the Controller connects via integrations (e.g., Lexware, easybill, DATEV, ClickUp, awork) are not sub-processors of the Processor; the Controller enters into its own agreements with these providers where required.
(1) The Processor supports the Controller with appropriate technical and organisational means in fulfilling data-subject rights, in particular requests for access, rectification, erasure, restriction, and portability.
(2) Where a data subject or a supervisory authority contacts the Processor directly, the Processor informs the Controller without delay and coordinates further steps with them.
(3) Primary responsibility for responding to data-subject requests remains with the Controller.
(1) The Processor notifies the Controller without undue delay, and at the latest within 48 hours of becoming aware, of any breach of the protection of personal data within the meaning of Art. 33 GDPR that concerns the Controller's data.
(2) The notification includes, where known: the nature of the incident, categories and number of affected data subjects, likely consequences, measures taken or planned, and a point of contact.
(3) Where the Controller's data is endangered by garnishment, seizure, insolvency, or other third-party action, the Processor informs the Controller without delay and points out to the acting bodies that data ownership rests with the Controller.
(1) Upon termination of the main contract, all of the Controller's personal data is, upon request, first exported in a structured, commonly used and machine-readable format (CSV / JSON).
(2) The Processor then irreversibly deletes all data from production systems within 30 days. Backups are automatically overwritten in regular rotation; full removal from backups is completed within a maximum of 14 further days.
(3) Statutory retention obligations (in particular under §§ 147 AO, 257 HGB) remain unaffected. For the duration of statutory retention, processing is restricted to the legally required minimum.
(4) Deletion is confirmed in text form on request.
(1) The Controller may at any time verify compliance with this agreement. The Processor provides suitable evidence on request — in particular certificates of its sub-processors, excerpts from this DPA, audit reports, and an up-to-date list of sub-processors.
(2) Where such evidence is not sufficient, the Controller may request an on-site inspection with at least 30 days advance notice. Routine inspections without specific cause are limited to one per calendar year; the right to additional inspections in case of justified cause (e.g., a data breach) remains unaffected.
(3) Inspections are conducted in a manner that does not disproportionately disrupt the Processor's operations. Costs and effort on the Processor's side that exceed the necessary minimum are borne by the Controller.
Point of contact for data-protection matters at the Processor:
Naumche Joshevski, Orangize Digital
datenschutz@dversum.com
External data-protection counsel is engaged as needed; a formally appointed external Data Protection Officer will be named in this list as soon as the statutory thresholds (§ 38 BDSG) are reached.
(1) This DPA runs for as long as the main contract (SaaS usage agreement) between the parties exists. Either party may terminate it separately with 3 months' notice to month-end, unless such termination would also terminate the main contract.
(2) The Controller may terminate this agreement with immediate effect if the Processor seriously breaches the provisions of this agreement or data-protection law and fails to remedy the breach within a reasonable period.
(1) German law applies.
(2) The exclusive place of jurisdiction for disputes arising from this agreement is — to the extent legally permissible — the registered office of the Processor.
(3) Amendments and supplements require text form. This also applies to the cancellation of this form requirement.
(4) Upon taking effect, this DPA supersedes all earlier agreements between the parties on processing of personal data on behalf.
(5) Should any provision of this agreement be or become invalid, this does not affect the validity of the remaining provisions. The invalid provision shall be replaced by the legally permissible regulation that comes closest to the economic purpose of the invalid provision.
Last updated: 2026-06-16 · Material changes are communicated to the Controller in text form.