Plattform im Aufbau: Registrierung funktioniert, Tarif-Abschluss & einige Funktionen sind noch nicht aktiv. — Fragen? info@ppwr-qrcode.de

PPWR QR-Code
← Home

GDPR Art. 28

Data Processing Agreement

Sample text pursuant to Art. 28 GDPR. Printable / downloadable as a PDF. Can be individually adapted if required — please have it reviewed by a lawyer before signing.

Request signature-ready PDF

Agreement on data processing pursuant to Art. 28 GDPR

between

…………………………………………………………………
(Name, address of the customer)
Controller

and

Erik Eggerth
Schluttenbacher Digitalagentur
Lange Str. 22
76275 Ettlingen OT Schluttenbach
Deutschland
info@ppwr-qrcode.de
USt-IdNr.: DE308523905
Processor

§ 1 Subject matter and duration

(1) The subject matter of the agreement is the processing of personal data by the processor within the scope of the PPWR-QR-Code platform (<a href="https://ppwr-qrcode.de">ppwr-qrcode.de</a>) for the fulfilment of the controller's PPWR compliance.

(2) The term of the agreement corresponds to the term of the main contract (plan subscription). Upon termination of the main contract, this DPA also ends automatically.

§ 2 Nature and purpose of the data processing

(1) In particular, the following categories of data are processed:

  • Master data of the customer (company, address, VAT ID)
  • Account data (email, password hash, 2FA configuration)
  • Content data of the QR codes (product information, packaging details)
  • Scan statistics in pseudonymised form (IP hash, device category, country)
  • Payment metadata (Stripe customer ID, subscription status)

(2) Purpose: Provision of the PPWR-QR-Code platform, compliance documentation, billing, support, statistics.

§ 3 Data subjects

  • Employees of the customer with access to the platform
  • End customers who scan a QR code (only pseudonymous scan data)
  • Referrers / referred persons in the affiliate programme (if activated)

§ 4 Obligations of the processor

The processor warrants in particular:

  1. Processing exclusively on the documented instructions of the controller — server location EU (Frankfurt/Main, Vercel + Supabase EU region).
  2. Obligation of the persons involved in the processing to maintain confidentiality (Art. 28(3)(b)).
  3. Technical and organisational measures pursuant to Art. 32 GDPR (see Annex 1).
  4. Immediate notification of personal data breaches (Art. 33 GDPR) within 24 hours of becoming aware.
  5. Support with requests from data subjects (Art. 15–22 GDPR) and with data protection impact assessments (Art. 35 GDPR).
  6. After the end of the contract: return or deletion of all personal data at the controller's choice (Art. 28(3)(g)) — exception: compliance retention obligations pursuant to Section 257 HGB / Section 147 AO.

§ 5 Sub-processors

The controller approves the following sub-processors:

ProviderServiceRegistered office
Supabase Inc.Database, auth, storageEU (Frankfurt)
Vercel Inc.Hosting, edge functionsEU (Frankfurt fra1) + DE
1&1 IONOS SEEmail delivery (SMTP)DE (Karlsruhe)
Stripe Payments Europe Ltd.Payment processingIE (Dublin)
fal.ai Inc.AI image generation (marketing assets only, no customer data)US, DPA in place

Changes will be announced 30 days in advance. If the controller objects, it may terminate the main contract without notice.

§ 6 Rights of the controller

The controller has the right to audit — either by means of audit reports (ISO 27001, SOC2 of the subcontractors) or by on-site inspection with 14 days' prior notice.

§ 7 Liability

The provisions of Art. 82 GDPR apply. Any limitation of liability in the main contract remains unaffected for the data processing.

Annex 1: Technical and organisational measures (TOM)

  • <strong>Physical access control:</strong> Cloud data centres (Supabase, Vercel) with ISO 27001 certification, biometric access.
  • <strong>System access control:</strong> Mandatory 2FA for all admin accounts, BCrypt-hashed passwords (cost factor ≥ 12), hashed API keys.
  • <strong>Data access control:</strong> Row-Level Security (RLS) on all database tables, role-based API authentication.
  • <strong>Transfer control:</strong> TLS 1.3 for all data flows, HSTS preload, PDF sandbox on an isolated subdomain.
  • <strong>Input control:</strong> Audit trail of all QR code content changes via versioning (qr_content_versions).
  • <strong>Job control:</strong> Written instructions exclusively by the controller, documented in the account.
  • <strong>Availability control:</strong> Daily backups, point-in-time recovery, status monitoring via Telegram alerts.
  • <strong>Separation control:</strong> Tenant separation via user_id RLS, separate storage buckets.

Place, date: ……………………………………

Controller: ……………………………………

Processor: Erik Eggerth / Schluttenbacher Digitalagentur, 2026