This is an English convenience translation. In case of discrepancies, the German version (AVV) is legally binding. This DPA becomes part of the contract as and to the extent we process personal data on behalf of the customer (controller). The controller is the customer; the processor is Arti-IT.
1. Subject & duration
(1) The subject of this agreement is the processing of personal data by Arti-IT (processor) on behalf of the customer (controller) within the use of the SaaS products Blina Desk AI and Blina Space.
(2) The duration of this agreement corresponds to the term of the respective main contract (SaaS agreement). It ends upon its termination, subject to the provisions on deletion and return (section 9).
2. Nature, purpose & data of processing
| Nature of processing | Collecting, storing, organising, indexing, searching, displaying, transmitting (to the extent necessary) and deleting personal data within the software. |
|---|---|
| Purpose | Provision of the contractually agreed SaaS functions (document archive, semantic search, OCR, AI-assisted analysis, administration, notifications). |
| Categories of data subjects | Employees, customers, suppliers, prospects and other contacts of the controller whose data is contained in uploaded documents or in the system. |
| Categories of personal data | Master data (name, contact details), communication and contract data, content of uploaded documents, usage and log data. The actual scope is determined by the controller through the content it uploads. |
Special categories of personal data (Art. 9 GDPR) are processed only if the controller enters such data into the system; the controller is responsible for the lawfulness.
3. Obligations of the processor
- Processing only on documented instructions of the controller, unless required by law (Art. 28(3)(a) GDPR).
- Commitment of persons authorised to process to confidentiality (Art. 28(3)(b), Art. 29 GDPR).
- Implementation of technical and organisational measures under Art. 32 GDPR (section 4).
- Assisting the controller in responding to data subject requests as well as with data protection impact assessments and notification obligations (Art. 28(3)(e) and (f) GDPR).
- Promptly informing the controller if, in the processor's opinion, an instruction infringes data protection law.
4. Technical & organisational measures (TOM)
The processor implements appropriate TOM under Art. 32 GDPR, in particular:
- Confidentiality: access and authorisation control, role-based permissions (RBAC), separate database per tenant (tenant isolation).
- Encryption: transport encryption (TLS/SSL); encryption of sensitive keys (e.g. API keys) at rest.
- Integrity: automatic virus scanning on upload, audit logs, input and transfer control.
- Availability & resilience: regular backups, immutable off-site backup (WORM/object lock) to protect against ransomware, monitoring.
- Recoverability: procedures to restore availability after an incident.
- Evaluation: regular review and updating of the measures.
5. Sub-processors
(1) The controller consents to the use of the sub-processors listed below. The processor informs about intended changes and grants the controller a right to object.
| Provider | Purpose | Location / note |
|---|---|---|
| Hetzner Online GmbH | Hosting & infrastructure (SaaS, databases, storage, backup) | Germany (EU) |
| Hostinger International Ltd. | Website hosting (arti-it.de), email/SMTP | EU/EEA |
| OpenAI Ireland Ltd. | AI processing (chat, embeddings / semantic search) | EU contracting party; possible third-country transfer with safeguards (SCC) |
| Brevo (Sendinblue GmbH) | Transactional email (verification, notifications) | EU/EEA |
| Stripe Payments Europe Ltd. | Payment processing (paid plans only) | EU (Ireland) |
| Google Ireland Ltd. | Operation of the chat assistant (proxy, EU cloud region) | EU (europe-west3) |
(2) The processor concludes contracts with each sub-processor that ensure a level of data protection essentially equivalent to this DPA.
6. Data subject rights
The processor assists the controller, within its means, in complying with data subject requests for access, rectification, erasure, restriction, portability and objection. If a data subject contacts the processor directly, the processor forwards the request to the controller without undue delay.
7. Audit rights
The controller is entitled to verify compliance with the TOM and the obligations under this agreement. The processor provides the necessary information; evidence may also be provided through suitable certificates, reports or self-assessments. On-site audits are possible with reasonable prior notice and without disrupting operations.
8. Notification of breaches
The processor notifies the controller of personal data breaches without undue delay after becoming aware of them and assists the controller in fulfilling its notification obligations under Art. 33, 34 GDPR.
9. Deletion & return
After the end of processing, the processor deletes the personal data at the controller's choice or returns it, unless a statutory retention obligation applies. The controller is granted a reasonable period to export its data before deletion.
10. Liability & final provisions
(1) Liability is governed by the provisions of the main contract (Terms) and Art. 82 GDPR.
(2) In case of conflict between this DPA and the main contract, the provisions of this DPA prevail on data protection matters.
(3) German law applies. Should individual provisions be invalid, the validity of the remaining provisions remains unaffected.