When we process personal data in a client project, we do so as a processor within the meaning of Art. 28 GDPR. This page summarizes how we handle that. The legally binding data processing agreement (DPA, German: AVV) is concluded individually before any processing begins. The German version of this page is authoritative.
Our standard commitments
Every DPA with us contains at least:
- Processing only on documented instructions of the controller, exclusively for the agreed purposes.
- EU processing: client data is processed on EU infrastructure by default; on-premise operation at the client is available where the engagement demands it.
- No training use: model providers are configured and contractually bound so that client data is not used to train AI models.
- Confidentiality: everyone involved in processing is bound to confidentiality. For clients under professional secrecy (tax firms, law firms) we additionally undertake the obligations of the applicable professional laws (such as § 62a of the German Tax Advisory Act, § 43e of the German Federal Lawyers' Act including the notice under § 203 of the German Criminal Code, § 80 of the Austrian WTBG) and bind subcontractors identically.
- Technical and organizational measures (TOMs): encryption in transit and at rest, need-to-know access control, logging, separated environments per client. The specific TOMs are an annex to the DPA.
- Sub-processors are named in the DPA; changes are announced in advance with the controller's right to object.
- Support with data-subject rights, data protection impact assessments and breach notifications without undue delay.
- Deletion or return of all personal data after the end of the engagement, at the controller's choice, with confirmation.
- Audit rights of the controller to the statutory extent.
Process
The DPA is sent together with the proposal and signed before any data access. On request we provide the draft in advance for review by your data protection officer or legal counsel: [email protected]