Data Processing Agreement (DPA)

Section 1 Subject Matter and Duration of Processing

(1) Subject Matter: The processing of personal data takes place within the scope of using the cloud software "BISpicy Inventory Management".

(2) Duration: Processing is carried out for the term of the main contract. After termination, all personal data will be deleted within 30 days, unless statutory retention obligations apply.

(3) Nature of Processing:

• Collection, storage, and use of customer master data
• Processing of order data and transactions
• Generation of invoices and delivery notes
• Transmission to shipping carriers for order fulfillment

Section 2 Categories of Data Subjects and Data

2.1 Categories of Data Subjects

• Customers/end customers of the Controller
• Suppliers of the Controller
• Employees of the Controller
• Contact persons at business partners

2.2 Categories of Personal Data

Data Category	Examples
Contact Data	Name, address, email, phone number
Contractual Data	Orders, invoices, customer numbers
Payment Data	Bank details, payment history (encrypted)
Shipping Data	Delivery addresses, tracking numbers

Section 3 Obligations of the Processor

The Processor undertakes to:

1. Instruction Binding: Process personal data only on documented instructions from the Controller (Art. 28(3)(a) GDPR)
2. Confidentiality: Ensure that all persons authorized to process data are committed to confidentiality (Art. 28(3)(b) GDPR)
3. Security Measures: Implement all technical and organizational measures required under Art. 32 GDPR
4. Sub-processors: Engage other processors only with prior consent of the Controller (Art. 28(2) GDPR)
5. Assistance: Assist the Controller in fulfilling obligations under Art. 32-36 GDPR
6. Deletion: Delete or return all personal data after termination of the contract
7. Accountability: Make available to the Controller all information necessary to demonstrate compliance

Section 4 Technical and Organizational Measures (TOMs)

The Processor has implemented the following measures pursuant to Art. 32 GDPR:

4.1 Confidentiality

• Physical Access Control: Data centers with physical access controls (DigitalOcean EU)
• Logical Access Control: Password-protected user accounts, optional two-factor authentication
• Authorization Control: Role-based permission system
• Separation Control: Tenant separation through individual databases

4.2 Integrity

• Transfer Control: TLS 1.3 encryption for all data transmissions
• Input Control: Logging of all data entries and modifications

4.3 Availability and Resilience

• Availability Control: 99.9% uptime guarantee, redundant systems
• Recoverability: Daily automatic backups, tested restoration procedures

4.4 Procedures for Regular Review

• Regular security audits
• Penetration tests by external service providers
• 24/7 system monitoring

Section 5 Sub-processors

(1) The Controller consents to the engagement of the following sub-processors:

Sub-processor	Location	Processing Purpose
DigitalOcean, LLC	EU (Frankfurt)	Cloud hosting, data storage
Stripe, Inc.	EU (Dublin)	Payment processing
DHL Paket GmbH	Germany	Shipping services (upon instruction)
DPD Deutschland GmbH	Germany	Shipping services (upon instruction)
GLS Germany GmbH & Co. OHG	Germany	Shipping services (upon instruction)
Hermes Germany GmbH	Germany	Shipping services (upon instruction)
UPS Deutschland Inc. & Co. OHG	Germany	Shipping services (upon instruction)

(2) The Processor shall inform the Controller before engaging additional sub-processors. The Controller may object within 14 days.

(3) Note regarding shipping carriers: The transfer of recipient data to shipping carriers is made exclusively upon the explicit instruction of the Controller (by creating a shipping label in the software) for the purpose of fulfilling the shipping order.

Section 6 Rights of Data Subjects

(1) The Processor shall assist the Controller in fulfilling the rights of data subjects (Art. 12-22 GDPR):

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)

(2) The Processor provides an export function that exports all personal data in a machine-readable format (CSV/JSON).

Section 7 Notification Obligations in Case of Data Breaches

(1) The Processor shall notify the Controller of any personal data breach without undue delay, and no later than 24 hours after becoming aware of it.

(2) The notification shall contain at a minimum:

• Description of the nature of the breach
• Affected data categories and approximate number of records
• Likely consequences
• Measures taken or proposed to address the breach

Section 8 Deletion and Return of Data

(1) Upon termination of the main contract, all personal data shall be:

• Exported and handed over to the Controller in a common format upon request
• Irrevocably deleted after a period of 30 days

(2) Exceptions apply for data that must be retained for longer periods due to statutory retention obligations (e.g., invoices: 10 years).

Section 9 Audit Rights

(1) The Controller has the right to verify compliance with this agreement.

(2) The Processor shall provide the following for this purpose:

• Evidence of technical and organizational measures
• Current certifications and audit reports
• Upon request: on-site inspections (by appointment)

Section 10 Final Provisions

(1) Applicable Law: German law applies, in consideration of the GDPR.

(2) Amendments: Amendments to this agreement require text form.

(3) Severability Clause: Should individual provisions be invalid, the validity of the remaining provisions shall remain unaffected.