Zum Hauptinhalt springen

Data Processing Agreement (DPA)

pursuant to Art. 28 GDPR

Last Updated: May 25, 2026
GDPR Art. 28 compliant
Notice

This Data Processing Agreement automatically becomes part of the contract upon use of BISpicy Inventory Management and applies between the Customer (Controller) and the Provider (Processor).

Section 1 Subject Matter and Duration of Processing

(1) Subject Matter: The processing of personal data takes place within the scope of using the cloud software "BISpicy Inventory Management".

(2) Duration: Processing is carried out for the term of the main contract. After termination, all personal data will be deleted within 30 days, unless statutory retention obligations apply.

(3) Nature of Processing:

  • Collection, storage, and use of customer master data
  • Processing of order data and transactions
  • Generation of invoices and delivery notes
  • Transmission to shipping carriers for order fulfillment

Section 2 Categories of Data Subjects and Data

2.1 Categories of Data Subjects

  • Customers/end customers of the Controller
  • Suppliers of the Controller
  • Employees of the Controller
  • Contact persons at business partners

2.2 Categories of Personal Data

Data Category Examples
Contact Data Name, address, email, phone number
Contractual Data Orders, invoices, customer numbers
Payment Data Bank details, payment history (encrypted)
Shipping Data Delivery addresses, tracking numbers

Section 3 Obligations of the Processor

The Processor undertakes to:

  1. Instruction Binding: Process personal data only on documented instructions from the Controller (Art. 28(3)(a) GDPR)
  2. Confidentiality: Ensure that all persons authorized to process data are committed to confidentiality (Art. 28(3)(b) GDPR)
  3. Security Measures: Implement all technical and organizational measures required under Art. 32 GDPR
  4. Sub-processors: Engage other processors only with prior consent of the Controller (Art. 28(2) GDPR)
  5. Assistance: Assist the Controller in fulfilling obligations under Art. 32-36 GDPR
  6. Deletion: Delete or return all personal data after termination of the contract
  7. Accountability: Make available to the Controller all information necessary to demonstrate compliance

Section 4 Technical and Organizational Measures (TOMs)

The Processor has implemented the following measures pursuant to Art. 32 GDPR:

4.1 Confidentiality

  • Physical Access Control: Data centers with physical access controls (DigitalOcean EU)
  • Logical Access Control: Password-protected user accounts, optional two-factor authentication
  • Authorization Control: Role-based permission system
  • Separation Control: Tenant separation through individual databases

4.2 Integrity

  • Transfer Control: TLS 1.3 encryption for all data transmissions
  • Input Control: Logging of all data entries and modifications

4.3 Availability and Resilience

  • Availability Control: 99.9% uptime guarantee, redundant systems
  • Recoverability: Daily automatic backups, tested restoration procedures

4.4 Procedures for Regular Review

  • Regular security audits
  • Penetration tests by external service providers
  • 24/7 system monitoring

Section 5 Sub-processors

(1) The Controller consents to the engagement of the following sub-processors:

Sub-processor Location Processing Purpose
DigitalOcean LLC Frankfurt (EU) Backend hosting, database, cloud backups (Spaces, S3-compatible)
Stripe Payments Europe Ltd. Dublin (EU) Payment processing for software licenses
Google LLC (Firebase Cloud Messaging) EU/USA (Standard Contractual Clauses) Push notifications to connected POS devices (no personal content)
Anthropic PBC (only when AI features are used) USA (Standard Contractual Clauses, Art. 46 GDPR) AI-assisted recognition of incoming invoices, AI article creation and AI repricing. Submitted data is not used for model training (Anthropic Commercial Terms / DPA).
Fiskaly GmbH (when POS integration is active) Germany / Austria (EU) Cloud TSE (KassenSichV) and RKSV cloud signing
Shipping carriers (DHL, DPD, GLS, Hermes, UPS, FedEx) — when enabled EU Shipping label creation, track & trace (upon instruction)
Marketplaces and shops (Amazon, eBay, Etsy, Shopify, Magento, WooCommerce, Shopware) — when enabled EU / worldwide (depending on provider) Order and article synchronization upon the Controller's instruction

(2) The Processor shall inform the Controller before engaging additional sub-processors. The Controller may object within 14 days.

(3) Note regarding shipping carriers: The transfer of recipient data to shipping carriers is made exclusively upon the explicit instruction of the Controller (by creating a shipping label in the software) for the purpose of fulfilling the shipping order.

Section 6 Rights of Data Subjects

(1) The Processor shall assist the Controller in fulfilling the rights of data subjects (Art. 12-22 GDPR):

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)

(2) The Processor provides an export function that exports all personal data in a machine-readable format (CSV/JSON).

Section 7 Notification Obligations in Case of Data Breaches

(1) The Processor shall notify the Controller of any personal data breach without undue delay, and no later than 24 hours after becoming aware of it.

(2) The notification shall contain at a minimum:

  • Description of the nature of the breach
  • Affected data categories and approximate number of records
  • Likely consequences
  • Measures taken or proposed to address the breach

Section 8 Deletion and Return of Data

(1) Upon termination of the main contract, all personal data shall be:

  • Exported and handed over to the Controller in a common format upon request
  • Irrevocably deleted after a period of 30 days

(2) Exceptions apply for data that must be retained for longer periods due to statutory retention obligations (e.g., invoices: 10 years).

Section 9 Audit Rights

(1) The Controller has the right to verify compliance with this agreement.

(2) The Processor shall provide the following for this purpose:

  • Evidence of technical and organizational measures
  • Current certifications and audit reports
  • Upon request: on-site inspections (by appointment)

Section 10 Final Provisions

(1) Applicable Law: German law applies, in consideration of the GDPR.

(2) Amendments: Amendments to this agreement require text form.

(3) Severability Clause: Should individual provisions be invalid, the validity of the remaining provisions shall remain unaffected.

PDF Download

You can also download this Data Processing Agreement as a PDF:

Print / Save as PDF
Data Protection Contact

Email: [email protected]
Further Information: Privacy Policy

Last Updated: May 25, 2026