Auftragsverarbeitungsvertrag (AVV) gem. Art. 28 DSGVO
This Data Processing Agreement ("DPA") forms part of the Terms of Service between vlastERP UG (haftungsbeschränkt), Berlin, Germany ("Processor") and the customer ("Controller") who subscribes to the vlastERP service.
1. Subject Matter and Duration
The Processor processes personal data on behalf of the Controller for the purpose of providing the vlastERP ERP SaaS platform, including but not limited to: client management, invoicing, time tracking, project management, and financial reporting.
Processing begins when the Controller creates an account and continues until termination of the subscription. After termination, data is retained for 30 days (recovery window) and then permanently deleted, except where legal retention periods apply (see Section 8).
2. Nature and Purpose of Processing
| Processing Activity | Purpose |
|---|---|
| Storage of client contact data | Client management, invoicing |
| Storage of financial data (invoices, payments) | Invoice generation, payment tracking, fiscal reporting |
| Storage of time entries | Project tracking, invoice generation |
| Storage of user accounts | Authentication, authorization, audit trail |
| Processing of email addresses | Transactional emails (invoices, reminders) |
| Storage of bank account/tax IDs (encrypted) | Invoice compliance, payment processing |
3. Categories of Data Subjects
- Controller's employees and team members (user accounts)
- Controller's clients and contacts (client data)
- Controller's suppliers and subcontractors
4. Categories of Personal Data
- Name, email, phone number
- Company name, address, tax identification numbers
- Bank account details (IBAN) — stored encrypted (AES-256-GCM)
- Invoice amounts, payment records
- Time tracking data (hours, project assignments)
- IP addresses, user agent strings (audit log)
5. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required by EU or Member State law.
- Ensure that persons authorized to process the personal data have committed themselves to confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 6).
- Assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability) via the GDPR API endpoints.
- Notify the Controller without undue delay (within 72 hours) after becoming aware of a personal data breach.
- Delete or return all personal data to the Controller after the end of the provision of services, unless storage is required by law.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.
6. Technical and Organizational Measures (TOMs)
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2/1.3 (HSTS enabled, OCSP stapling) |
| Encryption at rest | AES-256-GCM with per-tenant envelope encryption |
| Access control | RBAC with 6 roles, JWT RS256 authentication, TOTP 2FA |
| Data isolation | PostgreSQL schema-per-tenant (complete database-level isolation) |
| Audit trail | All CREATE/UPDATE/DELETE logged with user, IP, timestamp, old/new values |
| Backup | Daily encrypted backups, 30-day retention, monthly DR testing |
| Password security | bcrypt cost 12, min 12 chars, HaveIBeenPwned check, account lockout |
| Rate limiting | Per-IP and per-tenant rate limiting with Redis |
| Malware scanning | ClamAV for all file uploads |
| Vulnerability scanning | Weekly OWASP ZAP, Trivy container scanning, SBOM generation |
7. Sub-processors
The Controller hereby grants general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting (VPS, storage) | Germany (EU) |
| Stripe, Inc. | Payment processing | USA (EU SCCs in place) |
| Resend, Inc. | Transactional email delivery | USA (EU SCCs in place) |
8. Data Retention
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Financial records (invoices, payments) | 8 years | GoBD §147 AO |
| Business correspondence | 6 years | §257 HGB |
| Audit logs (general) | 3 years | Legitimate interest |
| Canceled accounts | 30 days | Recovery window |
9. Data Subject Rights
The Processor provides API endpoints to assist the Controller in fulfilling data subject requests:
- Right of access & portability:
GET /api/v1/gdpr/export— exports all personal data as structured JSON. - Right to erasure:
POST /api/v1/gdpr/anonymize— anonymizes personal data while retaining financial records as required by law. - Right to rectification: Standard CRUD endpoints allow the Controller to update any personal data at any time.
10. Audits
The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall cooperate with such audits and provide all necessary information. Audits shall be carried out with reasonable prior notice (at least 30 days) and shall not unreasonably disrupt the Processor's operations.
11. International Transfers
Where personal data is transferred to sub-processors outside the EEA (Stripe, Resend), such transfers are safeguarded by EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. Copies of the SCCs are available upon request.
12. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the Federal Republic of Germany. The exclusive place of jurisdiction is Berlin, Germany.
13. Contact
For questions regarding data processing or this DPA, contact:
vlastERP UG (haftungsbeschränkt)
E-Mail: [email protected]
Website: https://vlasterp.com
This DPA is automatically binding upon account creation. By subscribing to vlastERP, you agree to this Data Processing Agreement. A PDF version can be downloaded from your account settings.