Convenience translation for information purposes only. The legally binding version is the German original („Technische und organisatorische Maßnahmen", Anlage 2 zum AVV). In case of any discrepancy, the German version prevails.
Annex 2 to the Data Processing Agreement — measures under Art. 32 GDPR. Contractor (processor): Artur Parutkin (sole proprietorship), Isestraße 35, 20144 Hamburg, Germany. Version: July 2026.
Physical access control — Servers are operated exclusively in ISO 27001-certified data centres of Hetzner (Germany) and Scaleway (France); physical security is the contractual responsibility of these sub-processors. No own hardware.
System access control - End-user login via passwordless magic-link authentication (cryptographically secure 256-bit one-time tokens, single-use, short-lived). - Rate limiting per email and per IP against brute force; honeypot and timing checks against bots. - Admin access separate, IP rate-limited, constant-time password comparison. - Server access (SSH) only for the operator; credentials stored separately.
Data access control - API keys are stored exclusively as SHA-256 hashes (plaintext is displayed once upon creation and never persisted) → database access does not reveal usable keys. - Tenant separation at application level: every access is bound to the session user identity. - Database (PostgreSQL) and cache (Redis) run in a private Docker network, not publicly reachable. - Budget/spend controls per account and a global spending limit against abuse.
Separation control — Separate environments (production / test) with separate databases. Processing separated by purpose (account, usage, content data).
Transfer/transport control - Encryption in transit throughout via TLS; HSTS enforced; modern security headers (CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy). - CSRF protection (same-origin checks + SameSite=Lax cookies, Secure + HttpOnly). - Inference transmission to Scaleway TLS-encrypted; Inputs are not stored, not logged and not used for training at Scaleway (Scaleway Specific Conditions for AI Services; except for the temporary retention of individual requests for abuse/malfunction analysis provided for therein). Scaleway's batch processing feature (with up to 24-hour intermediate storage) is not used.
Input control — Application logs without content data of Inputs/Outputs. IP addresses are stored only in pseudonymized form (salted SHA-256 hash). Only operational and security data is logged (timestamp, pseudonymized IP, route/endpoint, HTTP status, response time, model name, token/usage counters, user identifier, error messages) — no Input/Output content. Application and container logs are size-limited, rotating and deleted at the latest after 30 days; host/nginx access logs (with IP) are deleted after 14 days.
Data protection by design and by default (Art. 25) — Data minimization as a core principle: no storage of Inputs/Outputs, pseudonymized IPs, minimal logging, hashed keys, self-hosted analytics (no third-party trackers).
Vulnerability/patch management — Operating system and container images are updated regularly; security-critical updates are applied with priority.
Encryption at rest — The database is encrypted at rest; backups are additionally encrypted with gpg (AES-256).
Sub-processor control — All sub-processors under DPAs pursuant to Art. 28 (Hetzner, Scaleway, Resend, Stripe); EU Standard Contractual Clauses for non-EU providers. Changes with 30 days' notice (§ 5 DPA).
Incident response / data breaches — Documented procedure: detection via monitoring/alerts and the sub-processors' notification chains; assessment of severity and affected data; containment (blocking of access/keys, isolation); notification of the affected controller without undue delay, as a rule within 48 hours (or of the supervisory authority within 72 hours where the Contractor is itself the controller); documentation of every incident.
Review — Regular review of the security measures; an external penetration test is planned. For the sub-processor Resend, a SOC 2 Type II report and a pen-test attestation are on file.