Data Processing Agreement (DPA)
As of June 2026 — model text pursuant to Art. 28 GDPR. This English version is a convenience translation; the legally binding version is the German one at verwalto.xhub.io/avv.
§ 1 Subject matter and duration of processing
(1) The subject matter is the processing of personal data of owners, tenants, advisory-board members and other contacts of the Controller by the Processor in the course of providing the SaaS solution Verwalto.xhub. (2) The duration corresponds to the term of the main contract. After it ends, the deletion and return obligations under § 11 apply.
§ 2 Nature and purpose of processing
(1) Processing includes storing property, unit, owner and tenant data, bookings and resolution/minutes data; transmitting SEPA files to the bank (via the Controller); sending statements and notifications; evaluating aggregated, anonymised statistics; backups; support on instruction. (2) The purpose is solely the performance of the main contract; processing for the Processor's own purposes is excluded.
§ 3 Types of personal data
Master data (name, address), contact data (email, phone), bank details (IBAN, BIC), contract/unit data, booking and billing data, communication data. Special categories under Art. 9 GDPR only if the Controller expressly records them and has documented a legal basis.
§ 4 Categories of data subjects
Owners (WEG), tenants, advisory-board members and office holders, service providers and contact persons.
§ 5 Obligations of the Processor
Processing only on instruction; notification of unlawful instructions; confidentiality obligation of staff; TOMs pursuant to Art. 32 GDPR; support with data-subject rights (Art. 15–22); breach notification within 24 hours; support pursuant to Art. 32–36 GDPR; deletion/return after the contract ends (§ 11).
§ 6 Controller's right to issue instructions
(1) The Controller remains the controller and issues instructions. (2) Instructions in text form (email, support ticket, software). (3) Verbal instructions must be confirmed in text form without delay.
§ 7 Sub-processors
(1) The Controller consents to the following sub-processors: Hetzner Online GmbH (hosting, Falkenstein/Nuremberg); Resend, Inc. (email delivery); Stripe Payments Europe Limited, Dublin (payment processing, paid plans only). (2) Current list at verwalto.xhub.io/datenschutz. (3) Notice of changes at least 30 days in advance; objection within 14 days with a right to terminate. (4) Contracts with at least equivalent obligations.
§ 8 Technical and organizational measures (TOM)
(1) Measures pursuant to Art. 32 GDPR for confidentiality, integrity, availability and resilience. (2) The specific TOMs are documented at verwalto.xhub.io/tom and form part of this DPA. (3) Further development is permitted provided the level of protection does not decrease.
§ 9 Breach notification obligation
(1) Notification to the Controller within 24 hours of becoming aware (Art. 33 (2) GDPR). (2) Content: nature of the breach, categories/number affected, consequences, measures, contact details. (3) Support with notifying the supervisory authority (72 hours) and informing data subjects (Art. 34).
§ 10 Support with data-subject rights
(1) Functions for access (export per person), rectification, erasure (with anonymisation), restriction (status flag) and data portability (CSV/JSON/XML). (2) Direct requests from data subjects are forwarded to the Controller without delay.
§ 11 Return and deletion of data after the contract ends
(1) 30 days for the export after the contract ends. (2) Afterwards secure deletion within a further 30 days (subject to statutory retention obligations). (3) Data subject to retention obligations in an access-protected archive, automatically deleted once the periods expire. (4) Deletion is confirmed in writing on request.
§ 12 Evidence obligations and audit rights
(1) Provision of all evidence pursuant to Art. 28 GDPR. (2) Audit by inspecting audit reports (C5, ISO 27001 — once available), DPA/TOMs and on-site inspections (at least 14 days' notice, max. once per year). (3) The Controller bears the cost of the inspection unless material violations are found.
§ 13 Confidentiality
All persons involved in the processing are committed to confidentiality in writing; the obligation continues beyond the employment relationship.
§ 14 Liability
(1) Art. 82 GDPR and the liability provisions of the main contract (Terms § 10) apply. (2) In the case of claims by data subjects, the parties support each other to the best of their ability.
§ 15 Final provisions
(1) German law, excluding the UN Convention on Contracts for the International Sale of Goods. (2) Place of jurisdiction Frankfurt am Main, where permitted. (3) Severability clause. (4) In case of conflict, the data-protection provisions of this DPA prevail.