Data Processing Agreement (DPA)
pursuant to Art. 28 GDPR
Preamble
This Data Processing Agreement (hereinafter "DPA") is concluded between:
- Client: The customer who registers with Portuo and creates a portal (hereinafter "Controller")
- Contractor: Nils Hoffmann, Geierstraße 14, 22305 Hamburg, Germany (hereinafter "Processor" or "Portuo")
This DPA is automatically concluded upon creating a portal with Portuo and supplements the General Terms and Conditions.
Section 1: Subject Matter and Duration of Processing
(1) The subject matter of this DPA is the processing of personal data by the Processor in connection with providing the Portuo platform.
(2) Processing begins with the creation of the portal and ends with the complete deletion of all data upon termination of the contractual relationship.
(3) The duration of processing corresponds to the term of the service agreement between the Controller and the Processor.
Section 2: Nature and Purpose of Processing
Processing includes the following activities:
- Storage and management of user data of the Controller's end customers
- Storage and provision of documents
- Management and storage of tickets and comments
- Sending email notifications on behalf of the Controller
- Provision of technical infrastructure for the customer portal
The purpose of processing is the provision of contractually agreed services in accordance with Portuo's terms of use.
Section 3: Types of Personal Data
The following categories of personal data are processed:
- Master data (name, email address, phone number)
- Authentication data (encrypted passwords)
- Communication data (tickets, comments, messages)
- Documents and their metadata
- Usage data (login times, read status)
- Technical data (IP addresses in server logs)
Section 4: Categories of Data Subjects
The following categories of persons are affected by the processing:
- End customers of the Controller (portal users)
- Employees of the Controller with portal access
- Contact persons at the Controller's client companies
Section 5: Obligations of the Processor
(1) The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law.
(2) The Processor shall ensure that persons authorized to process personal data have committed to confidentiality.
(3) The Processor shall take all measures required pursuant to Art. 32 GDPR to ensure security of processing.
(4) The Processor shall assist the Controller in fulfilling its obligations under Art. 32-36 GDPR.
(5) Upon termination of the agreement, the Processor shall delete all personal data unless a legal obligation to retain such data exists.
(6) The Processor shall immediately inform the Controller if it believes that an instruction violates the GDPR or other data protection provisions of the Union or Member States.
Section 6: Sub-processors
(1) The Controller grants the Processor general authorization to engage additional processors (sub-processors).
(2) The following sub-processors are engaged at the time of contract conclusion:
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Website hosting | Frankfurt (EU) |
| Supabase Inc. | Database, Auth, Storage | Frankfurt (EU) |
| Brevo GmbH | Email delivery | Germany (EU) |
| Stripe Payments Europe | Payment processing | Ireland (EU) |
| BunnyWay d.o.o. | Font delivery (CDN) | Slovenia (EU) |
(3)The Processor shall inform the Controller at least 14 days in advance of any intended changes regarding the addition or replacement of sub-processors. The Controller may object to such changes within this period for important data protection reasons. If no objection is raised, the change shall be deemed approved.
Section 7: Assistance with Data Subject Rights
(1) The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, data portability, objection).
(2) If a data subject contacts the Processor directly, the Processor shall immediately forward the request to the Controller.
Section 8: Technical and Organizational Measures
The Processor has implemented the following technical and organizational measures pursuant to Art. 32 GDPR:
Confidentiality
- Physical access control: Server locations with physical access restrictions (data centers)
- System access control: Authentication with encrypted passwords
- Data access control: Role-based permission system (RLS)
- Separation control: Tenant isolation at database level
Integrity
- Transfer control: TLS encryption of all data transmissions
- Input control: Logging of changes (audit logs)
Availability and Resilience
- Availability control: Redundant server infrastructure
- Rapid recovery: Daily backups
Procedures for Regular Review
- Data protection management: Regular review of measures
- Incident response management: Process for reporting data breaches
Section 9: Notification of Data Breaches
(1) The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.
(2) The notification shall include at least:
- A description of the nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
Section 10: Audit Rights
(1) The Controller has the right to verify the Processor's compliance with this DPA. Upon request, the Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations set forth in Art. 28 GDPR.
(2) As the Processor provides its services almost exclusively through cloud infrastructure providers (sub-contractors such as Vercel, Supabase), on-site audits at data centers are replaced by the provision of current attestations, reports, or certifications (e.g., SOC 2, ISO 27001) from the respective sub-contractors.
(3) On-site audits at the Processor's business premises are only possible in individual cases upon reasonable suspicion of data protection violations and after timely written notice (at least 2 weeks) during normal business hours. Such audits may not unreasonably disrupt business operations.
Section 11: Final Provisions
(1) This DPA is governed by German law.
(2) Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions shall remain unaffected.
(3) Amendments and additions to this DPA require text form.
Contact
For questions regarding this DPA, please contact:
Email: info@portuo.com
Last updated: December 2025 (Version 1.0)