Data Processing Agreement (DPA)

According to Art. 28 GDPR for the use of e-rechn.de

1. Subject and Duration of the Contract

This agreement regulates the rights and obligations between the client (controller according to Art. 4 No. 7 GDPR) and the contractor (processor according to Art. 4 No. 8 GDPR) in connection with the processing of personal data by the contractor on behalf of the client.

Client (Controller)

The user of the e-rechn.de service

Contractor (Processor)

Alexander Lutsyuk
Algoran / e-rechn.de
Dr. Alban Str. 24
19395 Plau am See
Deutschland / Germany
E-Mail: kontakt@algoran.de

Contract Duration

This agreement is effective from the first use of the service and ends with the termination of the business relationship.

2. Type and Purpose of Processing

Subject: Conversion of PDF invoices into EU-compliant e-invoices (hybrid PDF/A-3 with embedded XML)

Purpose: Provision of a technical service to fulfill e-invoicing obligations according to EU directives

Type of Data:

• Client's email address
• Contents of the uploaded PDF invoice (may contain customer data, amounts, addresses)

Categories of Data Subjects: Client's customers and business partners

3. Technical and Organizational Measures (Art. 32 GDPR)

The contractor takes the following measures to protect the processed data:

Confidentiality (Art. 32 para. 1 lit. b GDPR)

• Encryption: SSL/TLS (HTTPS) for all data transmissions
• Access Control: Only authorized systems can access processing services

Integrity (Art. 32 para. 1 lit. b GDPR)

• In-Memory Processing: All data is processed exclusively in memory
• No Permanent Storage: Invoice data is never permanently stored on hard disks

Availability and Resilience (Art. 32 para. 1 lit. b GDPR)

• Server Location: Exclusively servers in Germany
• Hosting: With reliable EU providers

Recovery Procedures (Art. 32 para. 1 lit. c GDPR)

• Automatic Deletion: Immediate and irrevocable deletion of all temporary data after completion of processing
• Since no data is stored, there is no need for recovery

4. Instructions from the Client

The contractor processes personal data exclusively on documented instructions from the client. The instruction is implicitly given by using the e-rechn.de service: the contractor converts the uploaded invoice and sends the result to the specified email address.

5. Rights and Obligations of the Client

• The client is responsible for the lawfulness of data processing
• The client must ensure that they are authorized to process the uploaded data
• The client can request information about processing at any time (however, due to immediate deletion, no data is available)

6. Sub-processors

The contractor is authorized to use the following sub-processors:

• Hosting Provider: Server hosting in Germany
• Email Service: For sending converted invoices

The client agrees to the engagement of these sub-processors by using the service. The client will be informed of any changes.

7. Deletion and Return of Data

After completion of processing (conversion of the invoice and sending via email), all personal data is immediately and irrevocably deleted. There is no permanent storage. A return of the data is therefore not possible and not necessary.

8. Obligations of the Contractor

• Processing exclusively according to client instructions
• Compliance with GDPR and other applicable data protection laws
• Immediate notification of data breaches
• Support of the client in fulfilling their obligations (e.g., information requests)

9. Client's Control Rights

The client has the right to verify the contractor's compliance with data protection regulations. However, due to in-memory processing and immediate deletion, there is no stored data that could be verified.

10. Liability and Compensation

In case of GDPR violations, the contractor is liable according to Art. 82 GDPR. Liability is limited to intent and gross negligence, unless essential contractual obligations are violated.

11. Final Provisions

This agreement comes into effect with the first use of the service. Changes to this agreement will be communicated to the client and are deemed accepted if the service continues to be used.