Data Processing Agreement
Preamble
This agreement specifies the parties' data protection obligations arising from the processing on behalf of the Controller of the services agreed under the main contract ("Terms of Service"). It applies to all activities in which employees of the Processor or persons engaged by the Processor process personal data of the Controller.
§ 1 Subject matter and duration of processing
(1) The subject of the processing is the provision of an electronic withdrawal function pursuant to § 356a German Civil Code (implementing Article 11 of EU Directive 2011/83/EU) for the Controller's online shop. This comprises in detail:
- Collection of withdrawal declarations via a web form
- Storage of withdrawal data in a database
- Sending of a receipt confirmation by email to the respective consumer
- Provision of withdrawal data in the Controller's dashboard
(2) The duration of processing corresponds to the term of the main contract.
§ 2 Specification of the processing
(1) Nature and purpose of processing: Collection, storage, display, dispatch by email, anonymisation after expiry of configured retention periods.
(2) Type of data:
- Name (first and last name)
- Email address
- Order number and, if provided, order date
- Optional comments by the consumer
- Traffic data (IP address, user agent) at the time of withdrawal submission
(3) Categories of data subjects: Customers of the Controller who submit a withdrawal.
§ 3 Obligations of the Processor
(1) The Processor shall process personal data exclusively within the scope of the agreements made and according to the Controller's instructions, unless required to process differently by Union law or the law of a Member State to which the Processor is subject. The Processor shall inform the Controller without delay if they consider an instruction to violate applicable laws.
(2) The Processor shall take the technical and organisational measures required under Art. 32 GDPR (see Annex 1).
(3) The Processor shall assist the Controller in exercising data subjects' rights, in compliance with obligations under Art. 32 to 36 GDPR, and with data protection impact assessments under Art. 35 GDPR.
(4) The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality.
(5) The Processor shall notify the Controller of personal data breaches without delay, at the latest within 48 hours of becoming aware of them.
§ 4 Obligations of the Controller
Within the scope of this agreement, the Controller is solely responsible for compliance with the legal provisions of data protection laws, in particular for the lawfulness of data transfers to the Processor as well as for the lawfulness of data processing.
§ 5 Sub-processors
(1) The Controller agrees to the engagement of the sub-processors listed in Annex 2.
(2) The Processor shall inform the Controller of any intended change regarding the addition or replacement of other processors at least 30 days in advance by email to the address stored in the account. The Controller may object to changes. In the event of an objection, the Processor is entitled to extraordinarily terminate the contract with 30 days' notice.
§ 6 Audit rights
The Controller has the right to verify the Processor's compliance with data protection provisions and contractual agreements. As a rule, audits are fulfilled by presentation of current certifications, reports or report excerpts from independent bodies. On-site audits are possible with prior notice with reasonable notice and to an extent reasonable for the Processor's business operations.
§ 7 Termination
Upon termination of the main contract, the Processor shall hand over to the Controller all documents that have come into their possession, processing and usage results created, as well as data records related to the processing relationship, or destroy them in accordance with data protection requirements upon prior approval. Before termination, the Controller may at any time export their data as CSV via the export function available in the dashboard.
§ 8 Final provisions
Should individual provisions of this agreement be or become invalid, this shall not affect the validity of the remaining provisions. German law applies. The place of jurisdiction is the Processor's registered office.
Annex 1: Technical and organisational measures (TOMs)
Confidentiality (Art. 32(1)(b) GDPR)
- Physical access control: Servers are operated in certified data centres of sub-processors (ISO 27001), no own data centre
- System access control: Passwordless sign-in via magic link, JWT-based sessions, automatic lockout after inactivity
- Data access control: Row-level security at the database level; each merchant sees only data of their own shop
- Separation control: Multi-tenant architecture, logical separation of data from different controllers
- Pseudonymisation / anonymisation: Automatic anonymisation of personal data after expiry of the Controller-configured retention period
Integrity (Art. 32(1)(b) GDPR)
- Transfer control: Exclusively TLS-encrypted transmission (HTTPS)
- Input control: Audit trail with IP address, user agent and timestamp of each withdrawal submission
Availability and resilience (Art. 32(1)(b) GDPR)
- Availability control: Automatic daily backups, point-in-time recovery for 7 days, geo-redundant hosting
- Abuse protection: IP-based rate limiting on public endpoints, honeypot fields against bots
Procedures for regular review (Art. 32(1)(d) GDPR)
- Version-controlled source code with code reviews prior to each production deployment
- Continuous security review of dependencies (Dependabot, npm audit)
- Logging of security-relevant events, retention 30 days
Annex 2: Approved sub-processors
With the Controller's consent, the Processor engages the following sub-processors:
- Vercel Inc.
- Hosting der Web-Anwendung (Next.js)
Location: Irland (EU) / USA · Privacy Policy · DPA - Supabase Inc.
- Datenbank-Hosting (PostgreSQL) und Authentifizierung
Location: Frankfurt am Main (EU) · Privacy Policy · DPA - Emailit
- Versand transaktionaler E-Mails (Eingangsbestätigungen)
Location: EU · Privacy Policy · DPA - Upstash Inc.
- Rate-Limiting (Redis), zur Spam-Abwehr
Location: EU (Irland) · Privacy Policy · DPA
Version: 11 May 2026
Contracting party: P² Ventures UG (haftungsbeschränkt), Krokusstr. 33, 73663 Berglen