Important: Convenience Translation
This Data Processing Agreement (DPA) is a convenience translation of the German Auftragsverarbeitungsvertrag (AVV). In the event of any discrepancy, the German version shall prevail. The German version is available at sternflut.de/av-vertrag.
Last updated: April 4, 2026
Based on the template provided by the Bavarian Data Protection Authority (BayLDA), adapted for the SaaS platform Sternflut.
Controller (Data Controller):
The respective customer who uses the SaaS platform Sternflut and has registered at https://sternflut.de.
Processor (Data Processor):
Timo Brenner
Sternflut (Sole Proprietorship / Einzelunternehmer)
c/o POSTFLEX PFX-046-301
Emsdettener Straße 10
48268 Greven, Germany
Email: info@sternflut.de
The Processor processes personal data on behalf of the Controller in the course of providing the SaaS platform “Sternflut.” The processing includes in particular:
The service is provided via servers in the European Union (Supabase: EU Frankfurt; Vercel: EU Frankfurt as primary server location). Where sub-processors in third countries are engaged, data transfers are based on the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. For transfers of personal data from the United Kingdom, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses shall apply, as appropriate.
Duration: This Agreement is tied to the term of the main contract (Terms of Service) and terminates automatically upon its termination. The Controller may terminate this Agreement at any time without notice if the Processor seriously violates data protection regulations or the provisions of this Agreement.
Purpose of processing: Processing of personal data of end customers of the Controller for the purpose of sending review requests, aggregating reviews, managing customer communication, and generating analytics.
Nature of processing: Collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, destruction.
Types of personal data:
Special categories of personal data (Art. 9 GDPR) are not processed.
Categories of data subjects: End customers (clients, patients, guests, etc.) of the Controller.
The Controller is solely responsible for assessing the lawfulness of processing pursuant to Art. 6(1) GDPR and for safeguarding the rights of data subjects under Art. 12–22 GDPR. The Processor is obliged to forward any requests recognisably addressed to the Controller without undue delay.
The Controller issues instructions primarily through the Platform's user interface. Supplementary or deviating instructions must be issued in text form (including email to info@sternflut.de).
The Controller is obliged to treat all knowledge of business secrets and data security measures of the Processor obtained within the contractual relationship as confidential.
Authorised persons of the Controller: The account holder and team members designated as administrators by the account holder.
Contact person at the Processor: Timo Brenner, Email: info@sternflut.de
The Processor processes personal data exclusively within the framework of the agreements made and according to the Controller's instructions, unless required to do so by Union or Member State law (Art. 28(3)(a) GDPR).
The Processor does not use the personal data provided for any other purposes, in particular not for its own purposes. Copies or duplicates are not created without the Controller's knowledge, with the exception of technically necessary backups.
The Processor ensures that the Controller's data is logically separated from the data of other controllers through Row-Level Security (RLS) at the database level.
The Processor shall assist the Controller, to the extent necessary, in fulfilling data subject rights under Art. 12–22 GDPR, in maintaining records of processing activities, and in carrying out any required data protection impact assessments (Art. 28(3)(e) and (f) GDPR).
The Processor shall notify the Controller without undue delay if, in its opinion, an instruction violates legal provisions (Art. 28(3) sentence 3 GDPR).
The Processor may only disclose personal data to third parties or data subjects with the Controller's prior instruction or consent.
Audit rights (Art. 28(3)(h) GDPR): The Controller is entitled to verify compliance by: (a) requesting information in text form, (b) reviewing documentation and audit reports, (c) after prior appointment (at least 14 days in advance): on-site inspections. Audits may be conducted at most once per calendar year unless a specific cause requires more frequent control.
The Processor undertakes to maintain confidentiality in the processing of the Controller's personal data. This obligation survives the termination of the Agreement.
The Processor ensures that employees involved in processing are familiar with data protection regulations and have been bound to confidentiality (Art. 28(3)(b) and Art. 29 GDPR).
A data protection officer has not been appointed at the Processor as there is no legal requirement to do so (§ 38 BDSG, German Federal Data Protection Act). For data protection inquiries: info@sternflut.de
The Processor shall notify the Controller without undue delay, and no later than 48 hours after becoming aware, of any disruptions, breaches of data protection regulations, or suspected data breaches. The Processor shall assist the Controller in fulfilling its obligations under Art. 33 and 34 GDPR (Art. 28(3)(f) GDPR). The notification shall contain at minimum:
The Controller hereby grants the Processor general written authorisation to engage sub-processors pursuant to Art. 28(2) sentence 1 GDPR.
The Processor shall inform the Controller of any intended changes regarding sub-processors at least 14 days before the planned change by email. The Controller has the right to object to the change within 14 days of receipt of the notification (Art. 28(2) sentence 2 GDPR).
The Processor is liable to the Controller for ensuring that sub-processors comply with data protection obligations. Engagement of sub-processors in third countries is only permitted under Art. 44 ff. GDPR.
| Sub-Processor | Purpose | Transfer Mechanism |
|---|---|---|
| Supabase Inc., USA (Server: EU Frankfurt) | Database, Auth, Storage | DPF / SCCs |
| Vercel Inc., USA (Server: EU Frankfurt) | Application Hosting | DPF / SCCs |
| Cloudflare Inc., USA | DNS, CDN, DDoS Protection | DPF / SCCs |
| Stripe Inc., USA / Stripe Payments Europe Ltd., IE | Payment Processing | DPF / SCCs |
| Resend Inc., USA | Email Delivery | SCCs |
| Twilio Inc., USA | SMS and WhatsApp Delivery | DPF / SCCs |
| LOX24 GmbH, DE | SMS Delivery (Germany) | — |
| Meta Platforms Inc., USA / IE | WhatsApp, Facebook, Instagram APIs | DPF / SCCs |
| Telegram FZ-LLC, Dubai | Telegram Bot Messaging | SCCs |
| Google LLC, USA / IE | Places API, Business Profile, Gmail OAuth | DPF / SCCs |
| Microsoft Corp., USA / IE | Outlook OAuth, Graph API | DPF / SCCs |
| Anthropic PBC, USA | AI Reply Suggestions (transient, no storage) | SCCs |
| Trustpilot A/S, DK | Review Retrieval | — (EU) |
| Functional Software Inc. (Sentry), USA | Error Tracking (consent-gated only) | SCCs |
| Healthchecks.io | Cron Monitoring (no PII) | — |
Note: If the Controller connects their own email accounts (Gmail, Outlook, or other SMTP servers) to the Platform, the respective email providers of the Controller are not sub-processors of the Processor.
Upon termination of the Agreement, the Processor shall — at the Controller's choice — either delete all personal data processed on behalf of the Controller or return it to the Controller (Art. 28(3) sentence 2(g) GDPR). Return is provided via the Platform's data export function in a structured, commonly used, and machine-readable format (JSON). After return or after expiry of the export period, the data is deleted.
Send logs deemed billing-relevant are retained in anonymised form in accordance with tax law retention requirements (§ 147 AO, German Fiscal Code). Deletion is confirmed to the Controller in text form upon request.
The processing of personal data under this Agreement is included in the remuneration of the main contract (Terms of Service). No separate fee is charged for data processing.
Reference is made to Art. 82 GDPR. In all other respects, the liability provisions of the Terms of Service (§ 8) apply.
(1) Amendments and additions to this Agreement require text form (including email).
(2) Should the Controller's property or personal data held by the Processor be endangered by third-party measures (e.g. seizure or confiscation), insolvency proceedings, or other events, the Processor shall notify the Controller without undue delay.
(3) The right of retention (§ 273 BGB, German Civil Code) with respect to the data processed on behalf of the Controller is excluded.
(4) Should individual parts of this Agreement be invalid, this shall not affect the validity of the Agreement as a whole. The statutory provisions shall apply in place of the invalid provision (§ 306(2) BGB, German Civil Code).
(5) This Agreement is governed by the laws of the Federal Republic of Germany.
(6) Agreements on technical and organisational measures as well as audit and inspection records shall be retained by both parties for the duration of their validity and for three full calendar years thereafter.
(7) In the event of conflicts between this Data Processing Agreement and other agreements between the parties, this Data Processing Agreement shall take precedence with regard to the protection of personal data.
(8) This Agreement is concluded upon the Controller's registration on the Platform and acceptance of the Terms of Service. A separate signature is not required (Art. 28(9) GDPR: the agreement may be drawn up in electronic format). For UK business customers, this DPA also serves as the data processing agreement required under UK GDPR Article 28.