← Back to home

Data Processing Agreement (DPA)

Last updated: July 5, 2026

Between the customer (the "Controller") and Hölzel, Iserhagen & Kirscht GbR (the "Processor") pursuant to Art. 28 GDPR. It is concluded automatically at onboarding. The German AVV prevails.

1. Subject matter and duration

The subject matter is the processing of personal data of the Controller’s end customers by the Processor in the course of providing the "Sondercase" service. The duration matches the term of the main contract.

2. Nature, scope and purpose

Processed are inbound customer inquiries (email/messenger) and associated order and contact data for the purpose of automated or draft-based responses to support requests.

2a. Quality measurement and product improvement

From the messages already processed in the course of providing the service, the Processor computes aggregate quality metrics — in particular the extent to which AI-suggested responses are adopted unchanged, edited or discarded (e.g. share of words changed). No message content is made visible to staff and no additional copies of content are stored; only aggregate metrics for improving and assuring the quality of the service arise. This processing occurs within the documented instructions of the Controller (Art. 28 GDPR).

3. Type of data and categories of data subjects

  • Data types: contact data, communication content, order/transaction data.
  • Data subjects: the Controller’s end customers.

4. Obligations of the processor

  • Processing solely on the Controller’s documented instructions.
  • Confidentiality obligation of the persons involved.
  • Technical and organisational measures (TOMs) per Art. 32 GDPR (see annex).
  • Support with data-subject rights and notification duties (Art. 33/34 GDPR).
  • Deletion or return of data after the contract ends, at the Controller’s choice.
  • Evidence of compliance and enabling audits.

5. Sub-processors

The Controller approves the use of the sub-processors named in the Privacy Policy. The Processor will give timely notice of changes; a right to object for good cause exists.

6. Technical and organisational measures (TOM annex)

  • Encryption of credentials and secrets (encryption of sensitive data at rest).
  • Access control (row-level security, role-based access), tenant isolation per organisation.
  • Transport encryption (TLS), authentication via JWT.
  • Logging, rate limiting and bot protection.
  • Regular backups and recoverability.
  • Internal analytics run solely via read-only, logged database access to aggregate metrics; message content is not made visible to staff.

7. Third countries

Any transfer to third countries occurs only in compliance with Art. 44 et seq. GDPR (e.g. EU Standard Contractual Clauses).

8. Liability and final provisions

The provisions of the main contract apply in addition. In case of conflict, this DPA prevails on data-protection matters.