Data Processing Agreement (DPA) under Art. 28 GDPR

Version: 2026-02-05

Note: This non-German version was generated by machine translation. In case of doubt, the German text is authoritative.

In case of doubt, the German text prevails.

1. Parties

Processor (AV): netzmal GmbH, Hinrich-Fehrs-Str. 3, 25813 Husum, Germany, Representative/Owner: Tim David Saxen, E-mail: info@netzmal.de

Controller (V): the respective user/company uploading files. The uploader confirms they are authorized to transmit and legally entitled to act.

2. Subject, Duration, Nature and Purpose

  • Subject: Validation/analysis of uploaded e-invoices (PDF/XML; e.g., ZUGFeRD/Factur-X/XRechnung) and display of results.
  • Duration: from upload until completion of analysis; deletion of uploaded files and temporary artifacts no later than 24 hours.
  • Nature of processing: receipt, temporary storage, extraction (e.g., XML from PDF), parsing/validation, output in the browser.
  • Purpose: provision of the validation tool; no processing for own purposes.

3. Data Categories / Data Subjects

  • Data subjects: contacts/employees, customers/suppliers of the Controller, possibly natural persons on invoices.
  • Data: typically names/addresses/contact details, invoice and service data, tax data, possibly IBAN (if contained).

4. Instructions

The Processor processes personal data only on documented instructions of the Controller. The instruction is the upload and use of the analysis functions.

5. Obligations of the Processor

  • Confidentiality and access only for authorized persons.
  • Implementation of appropriate technical and organizational measures pursuant to Art. 32 GDPR (short description below; details on request).
  • Sub-processors only in accordance with this DPA; list/info on request or in the privacy notices.
  • Support with data subject rights/incidents relating to this processing.
  • Deletion as above (no later than 24 hours).

Short description of TOMs (details on request)

  • Encrypted transmission (TLS/HTTPS).
  • Access control (least privilege) on servers/directories.
  • Minimization of logs (no invoice contents in logs).
  • Automated deletion of temporary upload data (max. 24h).
  • Separation of production/test environments (where applicable).

6. Obligations of the Controller

  • Legal basis/information obligations towards data subjects.
  • Upload only authorized files; no unlawful content.

7. Electronic Conclusion

The DPA is concluded electronically by ticking the checkbox and uploading the file.

Note: This DPA complements the privacy notice/terms, where applicable.