← All documents

Data Processing Agreement (DPA) pursuant to Art. 28 GDPR

Convenience translation for information purposes only. The legally binding version is the German original („Auftragsverarbeitungsvertrag", privatai.com/avv). In case of any discrepancy, the German version prevails.

Version: July 2026

between

the customer – hereinafter the "Client" (German: „Auftraggeber"; controller within the meaning of Art. 4 No. 7 GDPR). The Client's specific details (name/company, address, authorized representative) follow from the account and the order confirmation for this contract.

and

Artur Parutkin (sole proprietorship), Isestraße 35, 20144 Hamburg, Germany – hereinafter the "Contractor" (German: „Auftragnehmer"; processor within the meaning of Art. 4 No. 8 GDPR).

Preamble

The Contractor operates an EU-hosted, privacy-friendly AI API and chat platform at privatai.com (the "Service"). The Client uses the Service under the underlying main contract (GTC / service description). In the GTC, the Contractor is referred to as the "Provider" and the Client as the "Customer". To the extent that the Contractor processes personal data on behalf of the Client, this DPA applies. In the event of a conflict between this DPA and the main contract, this DPA prevails in data protection matters.

§ 1 Subject Matter, Nature, Purpose and Duration of Processing

  1. Subject matter is the processing of personal data which the Client enters or transmits via the Service (Inputs) and has processed in order to generate Outputs by means of AI models.
  2. Nature of processing: automated processing (transmission, inference/computation, return of Outputs) via the API or the chat. Inputs/Outputs are not stored by the Contractor or by the inference data centre (see § 4 and Annex 2).
  3. Purpose: provision of the AI functionality exclusively for the performance of the main contract.
  4. Duration: for the term of the main contract; ends upon its termination (§ 12).

§ 2 Types of Data and Categories of Data Subjects

The scope, nature and purpose as well as the specific types of data and data subjects follow from Annex 1. As the Client alone determines the content and scope of the Inputs, the Client is responsible for the types of data and data subjects processed therein.

§ 3 Rights and Obligations of the Client

  1. The Client is the controller responsible for the lawfulness of the processing and for safeguarding data subjects' rights.
  2. The Client issues instructions as a rule through the use of the Service; supplementary individual instructions are issued in text form to datenschutz@privatai.com. The Contractor may refuse to carry out an individual instruction to the extent that it is technically impossible or would require a material change to the agreed service; the Contractor informs the Client thereof without undue delay.
  3. The Client is responsible for being entitled to transmit the data to the Contractor and – where the Client is subject to professional secrecy – for verifying the permissibility under professional rules (§ 10).

§ 4 Obligations of the Contractor (Art. 28 (3) GDPR)

The Contractor undertakes:

  1. Adherence to instructions — to process personal data only on documented instructions of the Client and to inform the Client if an instruction infringes data protection law (Art. 28 (3) lit. a, h).
  2. No storage / no training — Inputs and Outputs are not stored, not logged and not used for training or improving models or services after processing; they are not accessible to model providers or third parties (secured contractually and technically via the sub-processor Scaleway, Annex 3). The sole exception is the temporary retention of the content of individual requests by the inference sub-processor in the event of detected malicious activity or of disruptions to service quality, for root-cause analysis in accordance with its terms; even in that case there is no use for training and no access by model providers or other third parties. The Contractor's application logs likewise contain no Input/Output content (Annex 2); only metadata (e.g. timestamp, pseudonymized IP, frequency, HTTP status, error messages) is evaluated for abuse and security analysis, not the content of Inputs or Outputs.
  3. Confidentiality — to ensure that all persons authorized to process are bound to confidentiality (Art. 28 (3) lit. b, Art. 29).
  4. TOM — to implement the technical and organizational measures under Art. 32 in accordance with Annex 2 and to keep them at the state of the art.
  5. Support with data subjects' rights — to support the Client, as far as possible, in fulfilling data subjects' rights (Art. 12–23) (Art. 28 (3) lit. e).
  6. Support under Art. 32–36 — to support the Client with breach notifications, DPIAs and prior consultation (Art. 28 (3) lit. f); for data breaches see § 7.
  7. Deletion/return — after the end of processing, to delete or return the data at the Client's choice (Art. 28 (3) lit. g), unless a statutory retention obligation applies.
  8. Evidence/audits — to provide the Client with the information necessary to demonstrate compliance with Art. 28 and to enable audits (§ 8).

§ 5 Sub-Processors (Art. 28 (2), (4) GDPR)

  1. The Client grants a general authorization for the use of sub-processors. The sub-processors engaged at the time of conclusion of the contract are listed in Annex 3.
  2. The Contractor ensures that every sub-processor is subject to the same data protection obligations (Art. 28 (4)); corresponding DPAs are in place, with EU Standard Contractual Clauses for non-EU providers.
  3. The Contractor informs the Client of intended changes of sub-processors (addition or replacement) at least 30 days before they take effect, in text form to the email address stored in the account. Where a sub-processor triggers the change with a shorter lead time of its own, the Contractor informs the Client as early as it is able to.
  4. For processing on behalf of the Client (Inputs/Outputs), primarily Scaleway (inference) and Hetzner (hosting) are relevant. Resend (email) and Stripe (payment), by contrast, process account/billing data for which the Contractor is an independent controller (Annex 1); they are included for transparency.
  5. If the Client objects within the period under No. 3 for an important data protection reason, the Contractor will not have the Client's personal data processed by the new sub-processor for as long as the objection stands. If providing the service without the new sub-processor is unreasonable for the Contractor, either party may terminate the main contract with effect from the end of the current billing period; § 12 remains unaffected.

§ 6 Data Subjects' Rights

If a data subject contacts the Contractor directly, the Contractor forwards the request to the Client without undue delay and does not act itself unless legally obliged to do so.

§ 7 Notification of Personal Data Breaches

The Contractor notifies the Client of personal data breaches without undue delay after becoming aware of them, as a rule within 48 hours, in text form, with the information required for notification under Art. 33/34, and supports investigation and containment.

§ 8 Audit Rights / Evidence

The Contractor demonstrates compliance with its obligations upon request, in particular through the TOM (Annex 2) and certificates and audit reports of the sub-processors. The Client may additionally conduct audits, or have them conducted by an independent auditor bound to confidentiality: with reasonable advance notice, as a rule at most once per year, and additionally on an ad-hoc basis where there are concrete indications of a violation, in particular after a data breach. Audits take place during normal business hours, preserving trade secrets and without unreasonable disruption of operations. Each party bears its own costs; if an ad-hoc audit does not establish any violation, the Client reimburses the Contractor for the demonstrated reasonable expenses.

§ 9 Transfers to Third Countries

The core processing (Inputs/Outputs, hosting) takes place within the EU (Scaleway/FR, Hetzner/DE). To the extent that ancillary processes involve sub-processors established in a third country (email: Resend, US provider), appropriate safeguards under Art. 44 et seq. GDPR – in particular the EU Standard Contractual Clauses (2021/914) – are in place.

§ 10 Professional Secrecy (Section 203 German Criminal Code) — for Holders of Professional Secrets

  1. If the Client is a holder of professional secrets within the meaning of Section 203 of the German Criminal Code (StGB) (e.g. lawyers, physicians, tax advisors, auditors), the Contractor undertakes, as an "other participating person" within the meaning of Section 203 (3), (4) StGB, to keep confidential the third-party secrets that become known to it, and binds the persons it engages to corresponding confidentiality.
  2. The permissibility under professional rules of engaging the Contractor in the individual case is verified by the Client on the Client's own responsibility (where appropriate with the Client's chamber).
  3. This undertaking applies across professions and takes account of the requirements of the relevant professional-law authorization provisions for participating persons (inter alia Section 43e of the Federal Lawyers' Act (BRAO), Section 62a of the Tax Advisory Act (StBerG), Section 50a of the Auditors' Code (WPO), and the medical professional codes, in each case in conjunction with Section 203 StGB). A separate professional secrecy undertaking (Annex 4) is provided upon the Client's request.
  4. In the standard plans, the following applies: Inputs and Outputs are neither stored nor logged (subject to the narrow security exception under § 4 No. 2); access by model providers or by the sub-processors' personnel is not intended and is prevented by the technical and organizational measures described in Annex 2. The sub-processors' personnel are bound to confidentiality under Art. 28 (3) lit. b, Art. 29 GDPR. An express contractual commitment of the entire sub-processor chain under Section 203 (4) StGB — including the inference data centre — and commitments on the handling of seizure situations are made exclusively as part of the Enterprise setup (separate agreement).

§ 11 Permitted Use; EU AI Act

  1. The Service is a general-purpose AI tool and is not intended for high-risk applications within the meaning of Annex III of Regulation (EU) 2024/1689 (EU AI Act) without the Client's own conformity assessment.
  2. If the Client uses the Service in a high-risk context, the Client is to that extent the "provider"/"deployer" within the meaning of the EU AI Act and bears the resulting obligations; the Client indemnifies the Contractor against third-party claims arising from such use. § 6 of the GTC applies accordingly to the handling of the indemnity.
  3. Outputs are AI-generated; any labelling and disclosure obligations under Art. 50 of the EU AI Act upon publication are incumbent on the Client (deployer).

§ 12 Term and Termination

This DPA runs for the duration of the main contract; it ends automatically upon its termination. § 4 No. 7 (deletion/return) remains unaffected.

§ 13 Liability

  1. The parties' liability is governed by § 9 of the GTC (main contract); its provisions also apply, to the extent legally permissible, to claims in connection with this DPA.
  2. Claims of data subjects under Art. 82 GDPR remain unaffected. In the internal relationship, the parties are liable to each other in accordance with Art. 82 (5) GDPR according to their respective share of responsibility for the damage.

§ 14 Final Provisions

  1. Amendments require text form. 2. In the event of a conflict, this DPA prevails over the main contract in data protection matters. 3. German law applies. 4. Should a provision be invalid, the remainder of the contract remains valid.

Annex 1 — Description of the Processing

Annex 2 — Technical and Organizational Measures (TOM)

The technical and organizational measures under Art. 32 GDPR in the version "July 2026" are attached to this contract as Annex 2 and form part of the contract. The Contractor may update the TOM provided the agreed level of protection is not reduced; the Contractor gives notice of material changes in text form. The current version is available at privatai.com/documents.

Annex 3 — Sub-Processors (version July 2026)

Sub-processor Service Place of processing Transfer mechanism
Hetzner Online GmbH, Gunzenhausen (DE) Hosting Germany — (EU)
Scaleway S.A.S., Paris (FR) AI inference France — (EU)
Plus Five Five, Inc. (Resend), USA Transactional email EU region; provider established in the USA EU Standard Contractual Clauses (2021/914)
Stripe Payments Europe, Limited, Dublin (IE) Payment processing EU; transfers to Stripe, LLC (USA) in accordance with the Stripe DPA Safeguards under Art. 44 et seq. GDPR per the Stripe DPA

The sub-processors' DPA documentation is held by the Contractor and is made available upon request within the scope of § 8. Changes are governed by § 5; the current list is available at privatai.com/unterauftragsverarbeiter. T-Systems/Telekom is used exclusively as part of an Enterprise setup.

Annex 4 — Professional Secrecy Undertaking (Section 203 StGB)

For holders of professional secrets (Section 203 StGB), the professional secrecy undertaking is available as a separate document in the documents area and is provided as an annex upon the Client's request.

Business customers can conclude this Data Processing Agreement after signing in, under „Documents