HEINI
DE Book demo Choose plan
Start Features
Solutions Managing directorsCFO & financeIT leadershipTax advisorsTradesFreight & logisticsAll industriesEnterprise
Pricing Integrations
Customers All customersPSE TechnikKnowledge staysSupplier with HeiniGroup & holdingAgencies & partners
Resources All resourcesFAQBlogCustomers & casesStories
Login Book demo Choose plan
Legal · Annex A

Data Processing Agreement (DPA)

Annex A to the Terms v2.1 · under Art. 28 GDPR · Version 2.1 · as of 16 June 2026. The German version is legally binding; this English translation is for convenience.

Parties

Controller: the respective customer per order confirmation („Customer").

Processor: HEINI Operations UG (haftungsbeschränkt), Wierling 19, 48301 Nottuln, Managing Director: Daniel Heinen („HEINI").

1. Subject and duration

1.1 Subject: provision of the SaaS platform heini.app including the AI colleague on behalf of and per the Customer’s instructions.

1.2 Duration: the term of the main contract (Terms v2.1) plus the transition period under no. 9.

2. Nature and purpose

2.1 Nature: collecting, storing, reading, modifying, displaying, structuring, processing in AI models (only to provide the service to the Customer, not for training), deleting.

2.2 Purpose: providing the contractually owed SaaS service (§ 2 Terms); AI-assisted processing of the Customer’s inputs to produce the owed output.

3. Types of personal data

Where the Customer populates the platform with personal data, in particular: master data (name, address, email, phone); communication content (texts, messages, documents); professional/company data (role, function, affiliation); usage and telemetry data; and any further data the Customer enters.

Special categories (Art. 9 GDPR) may be entered only with a valid legal basis and after prior notice to HEINI in text form. HEINI may require additional technical and organisational measures.

4. Categories of data subjects

The Customer’s employees and business partners; the Customer’s end customers; other natural persons whose data the Customer lawfully enters.

5. Instructions and HEINI’s obligations

5.1 HEINI processes personal data only on the Customer’s documented instructions. These Terms v2.1 and this DPA are the standard instruction; deviating instructions in text form.

5.2 HEINI informs the Customer without delay if an instruction violates the GDPR or other data-protection law.

5.3 HEINI binds all involved persons to confidentiality in writing (Art. 28(3)(b), Art. 29 GDPR).

5.4 HEINI supports the Customer with data-subject rights (Art. 12–22), security (Art. 32), breach notification (Art. 33, 34) and DPIAs (Art. 35, 36) to a reasonable extent.

6. Technical and organisational measures (Art. 32 GDPR)

6.1 Confidentiality: physical access control (Hetzner DC with multi-factor entry, mantraps, video surveillance); system access control (MFA for admin accounts, BSI-aligned password policy); data access control (RBAC, least privilege, audit logs); separation control (multi-tenant separation, per-tenant keys where sensible).

6.2 Integrity: audit-proof logging pipeline; TLS 1.3 in transit; encryption at rest (AES-256).

6.3 Availability: daily encrypted backups; redundant storage in a second German Hetzner availability zone (standard: Falkenstein/Nuremberg) — a deviating backup region only under the Enterprise exception in no. 7.2; RTO ≤ 24 h, RPO ≤ 24 h; provider-level DDoS protection.

6.4 Review: penetration tests at least annually; vulnerability scans monthly; annual data-protection/security training; documented incident-response plan.

6.5 HEINI may further develop the TOMs provided the protection level is not reduced; material changes are documented and communicated on request.

7. Sub-processors

7.1 The Customer consents to the engagement of the sub-processors below. HEINI binds each to a protection level not inferior to this DPA.

7.2 List (as of 16 June 2026): Hetzner Online GmbH (seat Gunzenhausen, DE) — hosting, storage, backup, DDoS protection; processing location Germany, Falkenstein data centre (FSN1) as standard. Further: an AI provider for LLM inference (EU region preferred, see 7.3; omitted with BYOK), optionally an email-dispatch service and a payment provider (each EU/EEA).

Server location (standard + Enterprise exception). The standard processing location for hosting, storage and backup is Falkenstein (FSN1), Germany (single-tenant per customer, EU/EEA). A deviating hosting region is agreed exclusively at the express request of an Enterprise customer in the individual contract (Annex B/D); without such agreement all processing remains in Falkenstein/Germany.

7.3 AI sub-list. For AI inference HEINI is likely to use one or more of: OpenAI Ireland Ltd. (Dublin, IE), Anthropic Ireland Ltd. (Dublin, IE), Google Cloud EMEA Ltd. (Dublin, IE), Mistral AI SAS (Paris, FR), and own HEINI inference on Hetzner GPU (open models, EU-only). For a US parent: EU Standard Contractual Clauses 2021 (Module C2P), complemented by a Transfer-Impact-Assessment and, where applicable, DPF certification. The providers actually used are specified in the order confirmation.

7.3a Customer’s own model (BYOK). If the Customer brings its own AI model/provider, inference runs via the provider chosen by the Customer; selection, contractual relationship and data-protection responsibility (incl. third-country transfer, training/retention terms) lie with the Customer. That provider is not a HEINI-engaged sub-processor; the default providers in 7.2/7.3 apply only where no BYOK is used.

7.4 Change procedure. HEINI informs the Customer at least 30 days before a change to the sub-list in text form. The Customer may object within 30 days for good data-protection cause; if no amicable solution is reached, an extraordinary right of termination exists (§ 11.3 Terms).

7.5 Third-country transfer. Where a sub-processor transfers data to a third country, HEINI ensures an adequate level via (i) adequacy decision, (ii) EU Standard Contractual Clauses 2021 (usually Module C2P), (iii) Transfer-Impact-Assessment and, where applicable, (iv) DPF.

8. Breach notification

8.1 HEINI reports a personal-data breach without undue delay, at the latest within 48 hours of becoming aware, in text form to the Customer’s registered GDPR contact.

8.2 The report contains at least: nature of the breach, data categories affected, approximate number of data subjects, likely consequences, measures taken/proposed, contact person.

8.3 This deadline is stricter than Art. 33 GDPR (72 h to the authority) and is meant to enable the Customer’s own timely notification.

9. Termination, deletion, return

9.1 After contract end HEINI provides a 30-day export in a customary format (CSV/JSON) (§ 11.5 Terms; Annex E Data Act).

9.2 Thereafter HEINI deletes the personal data from production systems without delay, at the latest within 30 days; backups are overwritten in the rotation cycle (max. 90 days).

9.3 Statutory retention obligations (§ 257 HGB, § 147 AO) remain unaffected; data retained for this is access-restricted.

9.4 On request HEINI provides written proof of deletion.

10. Audit rights

10.1 The Customer may verify compliance with this DPA — via certifications/audit reports (e.g. Hetzner’s ISO 27001), written questionnaires, and, on justified cause, an on-site audit with 14 days’ notice, at most once a year (except in acute cases).

10.2 The Customer bears the cost of an on-site audit unless a material breach is confirmed.

11. Liability

11.1 The liability provision of § 8 Terms v2.1 applies.

11.2 Externally the Customer is liable as controller; internally Art. 82(5) GDPR (joint and several recourse) applies.

12. Final provisions

12.1 In case of conflict between this DPA and the Terms v2.1, this DPA prevails on data-protection matters.

12.2 Amendments require text form (§ 126b BGB).

12.3 German law applies; jurisdiction is the seat of HEINI (§ 13 Terms). Version 2.1 — as of 16 June 2026. The German version is legally binding.