LEGAL · DATA PROCESSING AGREEMENT · STAND 17.04.2026
ENTWURF — nicht anwaltlich geprüft, nur zu internen Zwecken. Vor Live-Gang durch Fachanwält:in prüfen lassen.
Note on language. This is the English-language Data Processing Agreement ("DPA") for international Brand customers of the Collavo platform. A German-language version ("Auftragsverarbeitungsvertrag" / "AVV") exists in parallel. In the event of any conflict, contradiction or ambiguity between this English version and the German version, the German version shall prevail (see § 17).
Scope clarification. This DPA governs the Processing that Collavo carries out as a processor on behalf of the Brand customer (the Controller) — i.e. the brand- and campaign-specific Processing in connection with campaign management, the Controller's own creator collaborations, asset review, rights management, messaging and campaign analytics on the Collavo platform. It does not govern Processing for which Collavo acts as a controller in its own right or jointly with others, in particular: account creation, login, billing of the Brand's own subscription, fraud prevention, platform security, statutory tax-reporting duties such as DAC7, the processor's own corporate administration and — to the extent Collavo determines their purposes and means — the operation of Collavo's own creator marketplace and creator relationship, creator discovery/ranking and paid prominence ("boosted" placement), agency-roster mandates, and payout/commission orchestration. For those operations Collavo acts as an independent controller or, where purposes and means are jointly determined, under a separate Art. 26 GDPR joint-controllership arrangement, which takes precedence for that operation. The definitive per-function allocation of roles (controller / processor / joint controller) is to be confirmed by counsel — see [PLATZHALTER: verbindliches Rollen-Mapping je Verarbeitungsfunktion] — and these activities are otherwise described in Collavo's separate privacy notice.
(1) Controller ("Controller"):
[PLATZHALTER: legal name of the Brand customer], a company organised under the laws of [PLATZHALTER: jurisdiction], with its registered office at [PLATZHALTER: address], represented by [PLATZHALTER: authorised representative].
— The specific Controller, its registered details and signatory are recorded in the order form / Main Agreement and on the signature block of this DPA.
(2) Processor ("Processor" or "Collavo"):
[PLATZHALTER: legal name and legal form of the operating company, e.g. nojoma GmbH], registered in the commercial register of [PLATZHALTER: Registergericht] under [PLATZHALTER: HRB-Nr.], registered office at [PLATZHALTER: ladungsfähige Anschrift], represented by [PLATZHALTER: Geschäftsführer:in], VAT ID [PLATZHALTER: USt-IdNr.].
Data protection contact / Data Protection Officer (if appointed): [PLATZHALTER: Name + Kontakt des/der Datenschutzbeauftragten].
The Controller and the Processor are each a "Party" and together the "Parties".
(1) Subject matter. The Processor operates the Collavo Creator-Operations platform (web, API and mobile applications) and, in that capacity, processes Personal Data on behalf of the Controller to enable the Controller to plan, produce, review, approve, publish, measure and settle social-content campaigns with creators across connected channels (Meta/Instagram, TikTok, YouTube).
(2) Nature of the Processing. Collection, recording, organisation, structuring, storage, retrieval, consultation, use, transmission, encryption, pseudonymisation, restriction, erasure and destruction of Personal Data by automated means. The operations carried out on behalf of the Controller under this DPA are, in particular: campaign and brief management; the Controller's own creator collaborations and shortlisting; asset upload, review and approval; rights management (usage types, territories, exclusivity, term); in-app messaging; and campaign analytics/insights of the Controller's campaigns.
To the extent that creator discovery, marketplace ranking and paid prominence ("boosted" placement), agency-roster mandates, and payment/escrow/payout/commission orchestration are determined by Collavo as to their purposes and means (Collavo's own marketplace, ranking and commission logic), Collavo acts for those operations as an independent controller or jointly with the Controller (Art. 26 GDPR), and they fall under the carve-out in the Scope clarification above rather than under this DPA. The definitive role allocation for each such function is to be confirmed by counsel ([PLATZHALTER: verbindliches Rollen-Mapping je Verarbeitungsfunktion]). Transactional e-mail, push notifications and error monitoring support the foregoing.
(3) Purpose. The Processing serves exclusively the performance of the services agreed in the Main Agreement between the Parties and the Controller's lawful campaign-operations purposes. The Processor shall not process the Personal Data for its own purposes save where it acts as an independent controller under the carve-out in the Scope clarification above.
(4) Duration. The Processing begins on the effective date of the Main Agreement and continues for its term. The duration of this DPA is tied to the term of the Main Agreement; the obligations regarding confidentiality, return/deletion and audit survive its termination (§ 9, § 11, § 13).
(5) Place of Processing. Processing takes place within the European Economic Area ("EEA") and, in respect of certain sub-processors and integrated platforms, in third countries subject to the safeguards in § 12. The detailed description of the Processing is set out in .
(1) Categories of Data Subjects. Detailed in Annex 1, in particular:
(2) Categories of Personal Data. Detailed in Annex 1, in particular:
(3) Special categories — realistic handling. The platform is not designed or intended as a system of record for special categories of Personal Data (Art. 9 GDPR) or criminal-conviction data (Art. 10 GDPR), and the Controller shall not upload structured data of that kind into dedicated fields unless expressly agreed in writing and accompanied by appropriate safeguards. The Parties nevertheless acknowledge that uploaded image and video assets may, in fact, reveal special-category data (e.g. data revealing health, racial or ethnic origin, religious or political beliefs or sexual orientation, and potentially biometric data from facial features). Accordingly:
(1) The Processor shall process the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
(2) This DPA, the Main Agreement and the configuration the Controller makes within the platform constitute the Controller's initial and standing documented instructions. Individual ad-hoc instructions shall be issued in text form (e.g. e-mail, ticket) to the contact named in § 1 / Annex 1.
(3) The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable Union or Member State data-protection provisions (Art. 28 (3), final sentence, GDPR). The Processor may suspend execution of the affected instruction until the Controller confirms or amends it.
(4) AI features. The platform uses OpenAI-based generative features (caption/hashtag/brief generation and a RAG chat assistant). These operate on the Controller's instruction and configuration. Writing assistant tools require human confirmation (`requiresConfirmation`); there is no solely automated decision producing legal or similarly significant effects within the meaning of Art. 22 GDPR.
Insofar as Collavo provides these generative AI features, Collavo as provider bears the AI-transparency obligations under Art. 50 (1) and (2) of the AI Act (Regulation (EU) 2024/1689) — in particular ensuring that users are informed they are interacting with an AI system and that AI-generated or -manipulated outputs are marked in a machine-readable format as artificially generated/manipulated (transparency duties applicable from 2 August 2026). These provider obligations cannot be shifted onto the Controller or end users alone. The Controller remains responsible for reviewing and releasing AI-assisted output and for its own advertising-disclosure obligations under § 5a (4) UWG (server-side enforcement of `assertWerbekennzeichnungPresent`; override only with `acknowledgedUWG5a`).
(1) The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(2) This confidentiality obligation continues after termination of the respective employment or service relationship and after termination of this DPA.
(3) The Processor shall grant access to the Personal Data strictly on a least-privilege, need-to-know basis, scoped to the relevant Brand organisation (multi-tenant, `organizationId`-scoped logical separation).
(1) The Processor shall implement and maintain the technical and organisational measures ("TOMs") required under Art. 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk to the rights and freedoms of natural persons. The TOMs are set out in Annex 2.
(2) The TOMs are subject to technical progress. The Processor may update them provided the level of protection is not reduced below the level agreed in Annex 2. Material changes shall be documented and made available to the Controller.
(3) Security measures already implemented in the architecture include, in particular: field-level AES-256-GCM encryption for sensitive fields; TLS in transit and encryption at rest; EdDSA-signed JWT sessions; tenant-scoped (`organizationId`) access control; signed URLs for asset access (Cloudflare R2); separation of payment data via Stripe; and error monitoring via Sentry. (Architecture-derived; to be verified and detailed in Annex 2 by the operator.)
(1) General authorisation. The Controller grants the Processor a general written authorisation to engage sub-processors. The sub-processors engaged at the date of this DPA are listed in Annex 3.
(2) Equivalent obligations. The Processor shall impose on each sub-processor, by way of a contract or other legal act under Union or Member State law, the same data-protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures (Art. 28 (4) GDPR). Where a sub-processor fails to fulfil its data-protection obligations, the Processor shall remain fully liable to the Controller for the performance of that sub-processor's obligations.
(2a) Authority to conclude SCC. The Controller hereby expressly authorises and empowers the Processor to conclude, in the name and on behalf of the Controller, the relevant module(s) of the EU Standard Contractual Clauses (§ 12) and any equivalent transfer instrument with sub-processors, where the Controller is the data exporter or an intended beneficiary. The Processor shall, on request, provide the Controller with the concluded transfer instruments.
(3) Notice and objection. The Processor shall inform the Controller of any intended change concerning the addition or replacement of a sub-processor at least thirty (30) days in advance (e.g. by e-mail or via a subscribed sub-processor list), thereby giving the Controller the opportunity to object on reasonable data-protection grounds.
(4) Effect of objection. If the Controller objects in text form within the notice period and the objection is based on reasonable data-protection grounds, the Parties shall seek a commercially reasonable solution. If no such solution is found within a reasonable period, the Controller may terminate the affected part of the Main Agreement / this DPA for the affected services, with effect from the date on which the new sub-processor would be engaged or, if that date has already passed, with effect at the earliest possible date. This contractual termination right is the Controller's primary contractual remedy in respect of the objected sub-processor; the Controller's statutory and data-protection rights (including under Art. 82 GDPR) remain unaffected.
(5) Indicative sub-processor categories (full list and transfer details in Annex 3; architecture-derived, to be verified by the operator):
| Sub-processor | Purpose |
|---|
(1) Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising the data-subject rights under Chapter III GDPR (Art. 15–22), in particular access, rectification, erasure, restriction, data portability, objection, and rights relating to automated decision-making. So as to enable the Controller to meet its own statutory deadlines (Art. 12 (3) GDPR), the Processor shall provide such assistance without undue delay and in any event within [PLATZHALTER: e.g. 5–10] business days of the Controller's request.
(2) Where a data subject addresses such a request directly to the Processor, the Processor shall not respond on the merits but shall forward the request to the Controller without undue delay and shall await the Controller's instructions, unless legally obliged to act itself.
(3) Built-in tooling. The platform provides self-service mechanisms supporting these rights, including a public data-deletion flow (24-hour verification link, 14-day grace period, hard-delete cascade). The Processor shall make the corresponding data available to the Controller in a structured, commonly used and machine-readable format on request. (Architecture-derived; to be verified by the operator.)
The consent-management platform (CMP with four categories — essential/preferences/analytics/marketing — append-only `ConsentRecord`, withdrawal by new entry) on collavo.ai relates to Collavo's own controller responsibility for the use of the platform (cookies/tracking under the TDDDG) and is not an assistance measure rendered on the Controller's behalf under this DPA; it is mentioned here for transparency only.
(1) Breach notification to the Controller. The Processor shall notify the Controller without undue delay and in any event within twenty-four (24) hours after becoming aware of a Personal Data breach affecting the Controller's Personal Data. This short window is set so that the Controller retains sufficient time to meet its own 72-hour deadline under Art. 33 (1) GDPR; the Processor's underlying duty is to notify without undue delay (Art. 33 (2) GDPR). The notification shall, as far as available, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to mitigate it, and shall provide a contact point for further information. The Processor shall supplement the information progressively where it is not available at once.
(2) Such notification to the Controller does not constitute an admission of fault. The obligation to notify the supervisory authority (Art. 33 GDPR) and, where applicable, the data subjects (Art. 34 GDPR) remains with the Controller; the Processor shall provide reasonable assistance.
(3) DPIA and prior consultation. The Processor shall assist the Controller, taking into account the nature of Processing and the information available to it, in carrying out data-protection impact assessments (Art. 35 GDPR) and prior consultations with the supervisory authority (Art. 36 GDPR).
(4) The Processor may charge for assistance that materially exceeds the standard functionality of the platform, on the basis of its reasonable documented costs, after prior notice to the Controller.
(1) The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
(2) Audits shall, as a rule, be limited to once per calendar year, announced in good time (at least [PLATZHALTER: e.g. 14] business days in advance), conducted during normal business hours, and carried out so as to minimise disruption to the Processor's operations. The auditor shall be bound to confidentiality. Additional audits may be conducted in the event of a Personal Data breach or upon reasonable request by a competent supervisory authority.
(3) The Processor may primarily satisfy the audit obligation by providing up-to-date certifications, attestations and audit reports (e.g. ISO/IEC 27001, SOC 2 Type II, BSI C5), where available. A residual on-site inspection right remains where such documentation is insufficient to address the Controller's reasonable concern.
(4) Each Party bears its own costs of an audit; the Processor may invoice reasonable documented costs for support that materially exceeds the provision of standard documentation.
(1) Upon termination of the provision of the Processing services, the Processor shall, at the choice of the Controller, either delete or return all Personal Data processed on behalf of the Controller and delete existing copies, unless Union or Member State law requires storage of the Personal Data.
(2) The Controller shall communicate its choice within [PLATZHALTER: e.g. 30] days of termination. Absent a timely choice, the Processor shall delete the Personal Data after expiry of that period and any agreed grace period (cf. the platform's 14-day grace / hard-delete cascade).
(3) Deletion shall be carried out in accordance with the state of the art so that restoration is not possible with reasonable effort. The Processor shall confirm deletion or return to the Controller in text form on request.
(4) Personal Data the Processor is required to retain under statutory obligations (e.g. commercial/tax retention periods, DAC7) shall be restricted from further Processing and deleted upon expiry of the statutory retention period. The DAC7 tax-data store is governed by the Processor's own controller responsibility (§ 3 (4)).
(1) Personal Data is, as a rule, processed within the EEA. Transfers to third countries occur only in connection with the sub-processors and integrated platforms listed in Annex 3 (in particular providers domiciled in the USA and other third countries).
(2) Where Personal Data is transferred to a third country without an adequacy decision under Art. 45 GDPR, the Parties shall ensure appropriate safeguards under Art. 46 GDPR, in particular by entering into the relevant module of the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the "SCC"). For onward transfers between Processor and sub-processor, Module 3 (processor-to-processor) applies; the Processor concludes the SCC with the relevant sub-processor on the Controller's behalf where appropriate.
(3) Where transfers benefit from the EU-US Data Privacy Framework (Commission Implementing Decision of 10 July 2023) and the relevant recipient is certified thereunder, that adequacy mechanism applies for transfers to the USA; the SCC apply as a fallback and for non-certified recipients.
(4) The Processor shall, where required, carry out and document a transfer impact assessment ("TIA") and implement supplementary measures (e.g. encryption, pseudonymisation, access controls) in line with EDPB Recommendations 01/2020.
(5) Non-EEA Controller / return transfer. Where the Controller itself is established in a third country (the typical case for the international Brand customers addressed by this DPA), the transfer of Personal Data from the EEA-based Processor back to the third-country Controller shall, where no adequacy decision applies, be governed by the appropriate module of the SCC — in particular Module 4 (processor-to-controller) — concluded between the Parties. The Parties acknowledge that, in such constellations, the Controller acts as data exporter/importer in its own jurisdiction and is responsible for ensuring a valid lawful basis and transfer mechanism on its side. The concrete data-flow direction and applicable SCC module are to be confirmed per customer ([PLATZHALTER: Datenfluss-/Modul-Bestimmung je Controller-Sitz]).
(6) Where UK Personal Data is in scope, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCC shall apply mutatis mutandis. (To be verified by the operator depending on customer base.)
(1) This DPA enters into force on its effective date and remains in force for the term of the Main Agreement. It cannot be terminated independently of the Main Agreement while Processing on behalf of the Controller continues.
(2) Obligations under § 5 (Confidentiality), § 11 (Return/Deletion), § 10 (Audit, in respect of completed Processing) and § 14 (Liability) survive termination.
(1) Liability of the Parties towards data subjects and the apportionment of liability between the Parties are governed by Art. 82 GDPR. Each Party (controller or processor) involved in Processing is liable for the damage caused by Processing which infringes the GDPR in accordance with Art. 82 (2) GDPR.
(2) A processor is liable for the damage caused by Processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller (Art. 82 (2), second sentence, GDPR).
(3) Where one Party has paid full compensation for the damage suffered, it is entitled to claim back from the other Party that part of the compensation corresponding to its part of responsibility (Art. 82 (5) GDPR / recourse).
(4) Any limitation or cap on liability agreed in the Main Agreement shall not reduce or exclude the statutory liability under Art. 82 GDPR towards data subjects, nor any liability for intent or gross negligence or for injury to life, body or health, or any liability that cannot be limited by law. As between the Parties, contractual liability caps in the Main Agreement apply to the extent legally permissible. (Exact cap and insurance: [PLATZHALTER: Haftungshöchstgrenze / Versicherungsdeckung] — to be set by the operator/lawyer.)
(1) The Controller is responsible for the lawfulness of the Processing and for the lawful basis of collecting and transmitting the Personal Data to the platform (Art. 5, 6, and where relevant 9 GDPR), and for compliance with information duties towards data subjects.
(2) The Controller warrants that it is entitled to engage the Processor and to issue the instructions given, and that uploaded assets and content do not infringe third-party rights (including personality, image and copyright) and comply with advertising-disclosure law.
(3) The Controller shall keep its own records of Processing (Art. 30 (1) GDPR) where applicable; the Processor maintains its processor record (Art. 30 (2) GDPR).
In the event of conflict, the following order applies for data-protection matters: (1) mandatory provisions of the GDPR and applicable Union/Member State law and any executed SCC; (2) this DPA; (3) the Main Agreement. Annexes form an integral part of this DPA.
This DPA is provided in English and in German (AVV). In the event of any conflict, contradiction or ambiguity between the English and the German version, the German version shall prevail. Both versions are intended to have the same substantive meaning; the German version is the authoritative reference text.
(1) This DPA is governed by the laws of the Federal Republic of Germany, to the exclusion of its conflict-of-laws rules, without prejudice to mandatory provisions of the Controller's jurisdiction protecting data subjects.
(2) The place of jurisdiction is, as far as legally permissible, [PLATZHALTER: Sitz des Betreibers / Gerichtsstand].
(3) Should any provision of this DPA be or become invalid, the validity of the remaining provisions remains unaffected; the Parties shall replace the invalid provision with a valid one that comes closest to its economic and data-protection purpose.
(4) Amendments and supplements to this DPA require text form (Art. 28 (9) GDPR; electronic signature is permitted). This also applies to any waiver of the text-form requirement.
The Parties conclude this DPA in text form (Art. 28 (9) GDPR); qualified or simple electronic signature is permitted.
For the Controller
For the Processor (Collavo)
Effective date: [PLATZHALTER: Datum]
1. Subject matter and nature. As set out in § 2, the Processing carried out on behalf of the Controller under this DPA comprises: campaign and brief management; the Controller's own creator collaborations and shortlisting; asset review; rights management; messaging; and campaign analytics. Carve-out: creator discovery/marketplace ranking incl. paid prominence, agency-roster mandates, and payment/escrow/payout/commission orchestration are, to the extent Collavo determines their purposes and means, own-controller or joint-controllership operations outside this DPA (§ 2 (2), Scope clarification; [PLATZHALTER: verbindliches Rollen-Mapping]).
2. Purpose. Performance of the Main Agreement / the Controller's campaign-operations purposes (§ 2 (3)).
3. Duration. Term of the Main Agreement; deletion/return per § 11.
4. Categories of Data Subjects:
5. Categories of Personal Data:
6. Special categories (Art. 9 GDPR): none intended (§ 3 (3)).
7. Frequency: continuous, for the duration of platform use.
8. Processing locations: EEA and, for the sub-processors/platforms in Annex 3, third countries under the safeguards of § 12.
9. Controller contact for instructions / data-subject requests: [PLATZHALTER: Kontakt beim Controller].
Effective date: [PLATZHALTER: Datum] · Review cycle: annually and upon material change · Processor: [PLATZHALTER: operating company]
The following reflects the architecture as currently understood and must be verified, completed and dated by the operator before go-live. Values marked "verify" are architecture-derived.
1. Pseudonymisation (Art. 32 (1) (a)). Pseudonymisation/minimisation in development and test environments; isolation of directly identifying tax data (`CreatorTaxData`, separate store).
2. Encryption (Art. 32 (1) (a)).
3. Confidentiality (Art. 32 (1) (b)).
4. Integrity (Art. 32 (1) (b)). Audit logging of data exports and write operations; attribution to authenticated identities; integrity hashing (SHA-256 or stronger — verify). Server-side enforcement of advertising disclosure (`assertWerbekennzeichnungPresent`).
5. Availability and resilience (Art. 32 (1) (b)). Backups, geographic redundancy and DDoS protection per the respective managed-service providers. RPO/RTO: [PLATZHALTER: RPO/RTO targets] — to be specified.
6. Recoverability (Art. 32 (1) (c)). Incident-response runbook; restoration procedures; restoration drills [PLATZHALTER: cadence].
7. Regular testing (Art. 32 (1) (d)). Vulnerability scanning; penetration testing [PLATZHALTER: cadence]; error/security monitoring via Sentry; annual TOM review.
8. Organisational measures. DPO/contact (§ 1); least-privilege/joiner-mover-leaver process; annual data-protection training; incident-response with 24-hour Controller notification (§ 9 (1)). The consent-management platform (CMP, 4 categories, append-only `ConsentRecord`, HMAC anonymous consent cookie, `policyVersion`) is operated under (TDDDG) and is listed for completeness, not as a processor-assistance measure (§ 8 (3)).
Effective date: [PLATZHALTER: Datum] · Notice of changes: ≥ 30 days (§ 7 (3))
Architecture-derived; the operator must verify each entry, its seat, the transfer mechanism and the EU-region configuration before go-live.
| # | Sub-processor (legal entity) | Service / purpose | Data categories | Location / transfer mechanism |
|---|---|---|---|---|
| 1 | Neon [PLATZHALTER: entity] | Postgres database, incl. `better_auth` sessions | identity, auth, campaign/app data | EU region selectable → verify; SCC if non-EEA |
| 2 | Vercel [PLATZHALTER: entity] | Web hosting (Next.js) | log/usage, served app data | USA → SCC (Module 3) + TIA |
| 3 | Railway [PLATZHALTER: entity] | API hosting (NestJS) + Redis | app/session/cache data | [PLATZHALTER: region] → verify; SCC if non-EEA |
| 4 | OpenAI [PLATZHALTER: entity] | AI caption/hashtag/brief generation, RAG chat | prompt content, campaign text | USA → SCC (Module 3) + TIA; DPF if certified |
| 5 | Cloudflare [PLATZHALTER: entity] | R2 asset storage, signed URLs | content assets | USA/global → SCC + TIA |
| 6 | SendGrid / Twilio [PLATZHALTER: entity] | Transactional e-mail | contact data, message metadata | USA → SCC + TIA |
| 7 | Sentry [PLATZHALTER: entity] | Error monitoring | log/diagnostic data | [PLATZHALTER: region] → verify; SCC if non-EEA |
| 8 | Expo [PLATZHALTER: entity] | Mobile build/update, push notifications | device/push tokens | [PLATZHALTER: region] → verify; SCC if non-EEA |
Independent controllers (not sub-processors):
(4) Tax data carve-out. Tax identification numbers (TIN) and VAT IDs collected from creators for statutory DAC7 reporting are processed by the Processor as a controller in an isolated `CreatorTaxData` store (field-level AES-256-GCM encryption, HMAC pepper, reporting to the German Federal Central Tax Office / BZSt) and therefore fall outside the scope of this DPA. They are listed here only for transparency. (Architecture-derived; to be verified by the operator.)
| Location / transfer |
|---|
| Neon | Postgres database (incl. `better_auth` sessions) | EU region selectable — verify |
| Vercel | Web hosting (Next.js) | USA → SCC/TIA |
| Railway | API hosting (NestJS) + Redis | verify |
| OpenAI | AI caption/hashtag/brief generation, RAG chat assistant | USA → SCC/TIA |
| Cloudflare R2 | Asset storage, signed URLs | USA/global → SCC/TIA |
| SendGrid | Transactional e-mail | USA → SCC/TIA |
| Sentry | Error monitoring | verify |
| Expo | Mobile build/update + push notifications | verify |
Not sub-processors. Stripe (payments/escrow/payouts) and the social platforms (Meta/Instagram, TikTok, YouTube) are not listed here as sub-processors — they generally act as independent controllers for the data they receive (see § 7 (6)).
(6) Status of payment provider and social platforms (independent controllers).
This is clarified in Annex 3.
9. Certifications and standards. [PLATZHALTER: ISO/IEC 27001, SOC 2 Type II, BSI C5 — status / dates / bodies, if any]. Where the Processor relies on sub-processor certifications, these are referenced in Annex 3.
10. Sub-processors. Sub-processors must implement measures at least equivalent to this Annex 2 (Art. 28 (4)); their audit reports are provided to the Controller on request.
Their relationship with the Controller/creator is governed by their respective terms.
Sub-processor certifications relied upon: [PLATZHALTER: list per provider].