Data Processing Agreement (DPA) per Art. 28 GDPR

Version 1.2 — 2026-06-12

This agreement is concluded electronically between the registering business ("Controller") and the platform operator Oleksandr Chornous, Drewerstraße 5, 59602 Rüthen, Germany ("Processor").

1. Subject matter

The Processor provides SaaS services for the "Boncard" loyalty program and processes personal data of the Controller's end customers on its behalf.

2. Data categories and purposes

End customers: name, phone, email, birthday, notes, consent metadata — for loyalty program operation and optional marketing after double opt-in
Transactions: card code, points, timestamps, rewards — for loyalty history

3. Instructions

The Controller remains sole controller within the meaning of Art. 4(7) GDPR. Configuration of the service by the Controller through the platform UI constitutes documented instructions. The Processor processes personal data only on documented instructions from the Controller (Art. 28(3)(a) GDPR) and informs the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other data protection provisions (Art. 28(3), second subparagraph, GDPR). The Processor assists the Controller with data protection impact assessments and prior consultations (Art. 28(3)(f) in conjunction with Art. 35, 36 GDPR). The term of this agreement corresponds to the duration of account use; it ends upon complete deletion of the account.

4. Technical and organizational measures (Art. 32 GDPR)

TLS 1.2+ in transit
bcrypt password hashing
Role-based access control
Audit logs (90 days, auto-cleanup)
Data integrity: backups per configured MongoDB Atlas tier (continuous cluster backups from tier M10; tier-dependent during beta)
Tenant isolation at application layer
Secrets in encrypted variable storage

5. Subprocessors

By accepting this agreement the Controller approves these subprocessors:

Railway Corp. (US-West, Oregon) — app hosting; Art. 46 GDPR, EU-SCC 2021/914 (provider DPA)
MongoDB Atlas (US-West, Oregon) — database; Art. 45 GDPR Data Privacy Framework (primary); EU-SCC 2021/914 (fallback)
Resend Inc. (USA, AWS) — transactional email; Art. 45 GDPR DPF, self-certification 13.03.2025 (primary); EU-SCC + TIA (fallback)
Cloudflare, Inc. (R2, USA / EU edge) — tenant logo storage (branding only, no end-customer PII); Art. 45 GDPR DPF (primary); EU-SCC 2021/914 (fallback)

The current list is always published at /subprocessors; data-schema and interoperability disclosures per Art. 28 Data Act (Regulation (EU) 2023/2854) are available at /data-act-register.

Notification of changes at least 30 days in advance by email (EDPB Opinion 22/2024); 14 days minimum in emergencies.

6. Data subject rights (Art. 12-22 GDPR)

Data export (Art. 15, 20)
Anonymization (Art. 17)
One-click unsubscribe in every marketing email
Breach notification without undue delay after becoming aware (Art. 33(2) GDPR)

7. Confidentiality

The Processor and its personnel are bound to confidentiality also after termination.

8. Audit rights

The Controller may verify compliance. Routine verification is primarily carried out via provided documentation or a written questionnaire, which the Processor answers within a reasonable period. On-site audits take place only by prior written arrangement, with reasonable notice, at the Controller's cost and without disrupting operations.

9. Deletion after termination

Upon termination, the Processor deletes all personal data of the Controller and its end customers within 30 days following a request by the Controller. Without an explicit request, deletion takes place as part of periodic data cleanup, but no later than six months after termination, unless legal retention obligations apply. The Controller may request a data copy prior to deletion.

10. Final provisions

German law applies. Place of jurisdiction: Soest, where permissible. Changes require text form. Severability clause applies.

Acceptance occurs electronically during registration. Date, IP and user agent are recorded in the audit log and can be evidenced on request.