Skip to content

Data processing agreement (DPA)

Notice

This data processing agreement (DPA) template applies between the PakPruvo provider and the respective tenant (customer) where the tenant processes personal data within the meaning of the GDPR via PakPruvo.

By registering and using a paid or free tenant account, the customer accepts this DPA template together with the Terms and Conditions where personal data is processed. For an individualized or signed version, contact contact@pakpruvo.eu.

Version: June 2026. This page may be printed or archived.

1. Parties and subject matter

Controller (Client): the respective tenant using PakPruvo, in the legal form and at the address provided at registration.

Processor (Contractor): dmv daten- und medienverarbeitung, owner Beate Zöllner, In der Esmecke 31, 59846 Sundern, Germany. Email: contact@pakpruvo.eu.

Subject matter is processing of personal data by the Processor on behalf of the Controller when using the PakPruvo SaaS service at pakpruvo.eu. Details are in Annex 1.

2. Term

This DPA applies for the term of the main contract (service agreement/Terms and Conditions) for PakPruvo. It ends automatically when the main contract ends without separate termination.

After contract end, deletion and return rules in section 9 apply.

3. Processor obligations

The Processor processes personal data only on documented instructions from the Controller unless required to do so by Union or Member State law.

The Processor ensures that persons authorized to process data are bound by confidentiality or an appropriate statutory duty of secrecy.

The Processor implements appropriate technical and organizational measures under Art. 32 GDPR. An overview is in Annex 3.

The Processor assists the Controller with data subject rights (section 7), breach notification (section 8), and — where required — data protection impact assessments and consultations.

The Processor informs the Controller without undue delay if it believes an instruction infringes data protection law.

4. Controller obligations

The Controller alone is responsible for ensuring processing via PakPruvo has a valid legal basis and that instructions to the Processor are lawful.

The Controller ensures it is authorized to use the service and binds its users accordingly. It informs the Processor without undue delay of complaints, authority requests, or litigation affecting joint processing.

The Controller documents, within its organizational duties, which categories of personal data and data subjects it processes via PakPruvo.

5. Sub-processors

The Controller grants general written authorization to use sub-processors. The Processor informs the Controller of intended changes and gives the Controller an opportunity to object within a reasonable period.

Currently engaged sub-processors are listed in Annex 2. Sub-processors are subject to the same data protection obligations as this DPA.

6. Audit rights

The Processor makes available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR obligations and enables audits where proportionate.

The Controller may conduct audits to a reasonable extent itself or through an appointee, with prior notice and while preserving confidentiality of other tenants and operational security.

7. Assistance with data subject rights

The Processor assists the Controller with appropriate technical and organizational measures in fulfilling access, rectification, erasure, restriction, portability, and objection rights where the request concerns data processed through PakPruvo.

Requests from data subjects sent directly to the Processor are forwarded without undue delay to the Controller where the responsible tenant can be identified.

8. Personal data breach notification

The Processor notifies the Controller without undue delay after becoming aware of a personal data breach. The notification includes — where available — nature of the breach, categories of data subjects and data affected, likely consequences, and measures taken or proposed.

9. Deletion and return

After the main contract ends, the Processor deletes all personal data processed on behalf of the Controller or returns it to the Controller — unless statutory retention obligations prevent deletion.

Deletion follows periods described in the privacy policy and Terms and Conditions. Backups may be overwritten in technically usual cycles.

10. Final provisions

Amendments to this DPA require text form. The Processor may update this template where legal or technical requirements change; material changes are communicated to the Controller with reasonable notice.

German law applies. Place of jurisdiction for merchants, legal entities under public law, and special funds under public law is the Processor’s registered office unless mandatory law provides otherwise.

If individual provisions are invalid, the remaining provisions remain effective.

Annex 1 — Description of processing

Subject matter: provision and operation of PakPruvo as a multi-tenant SaaS service for managing packaging information, products and user accounts, publication via QR codes, automated checks, and document generation.

Duration: term of the service agreement under the Terms and Conditions.

Nature and purpose: storage, organization, retrieval, transmission, deletion, and other processing of personal data to deliver the contracted service.

Categories of data subjects: users of the tenant admin area; contact persons named by the tenant; persons named in uploaded content or free-text fields where applicable.

Types of personal data: name, email, display name, job title, authentication and log data, signature graphics where applicable, contact data from company profile; other personal data entered by the tenant.

Special categories: not intended for processing by the tenant. The tenant refrains from entering special categories unless expressly agreed.

Annex 2 — Sub-processors

Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany — hosting, application operation, and email delivery (SMTP) on servers in Germany.

Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland — payment processing and subscription management for paid plans; possible processing in third countries with appropriate safeguards (EU Standard Contractual Clauses).

Further sub-processors for AI-assisted features are named in the privacy policy or by separate notice before go-live.

Annex 3 — Technical and organizational measures (TOMs)

Access control: tenant separation, role-based permissions, password and token authentication, TLS encryption in transit.

Admission and access control: restricted server access, separated environments, logging of security-relevant events.

Disclosure control: no unauthorized disclosure to third parties except sub-processors listed in Annex 2.

Input control: traceability of admin changes through audit logs.

Availability and resilience: regular backups, maintenance windows, protection against excessive load.

Review procedures: measures adapted to technical progress and risk; for Hetzner hosting, additionally their certified TOMs under the Hetzner DPA.