Data Processing Agreement

Effective 28 May 2026

This Data Processing Agreement ("DPA") is entered into between you, the business that integrates elvix into your application (the "Controller"), and the Einzelunternehmen trading as "edvone" (Inhaber Edvard Grei), Jülicher Straße 72a, 52070 Aachen, Germany, operating elvix (the "Processor"). It governs the Processor's processing of personal data on the Controller's behalf under Article 28 GDPR and forms part of the Terms of Service. It takes effect when you begin processing end-user personal data through elvix; a countersigned copy is available on request at [email protected]. Where this DPA conflicts with the Terms on data protection, this DPA prevails.

This DPA covers only data the Processor handles on the Controller's instructions (the Controller's end users). For the elvix account data of which elvix is itself the controller, the Privacy Policy applies instead.

1. Definitions

"GDPR" means Regulation (EU) 2016/679. "Controller", "Processor", "personal data", "processing", "data subject", "personal data breach", and "sub-processor" have the meanings given in Art. 4 GDPR. "SCCs" means the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914).

2. Roles and scope

The Controller determines the purposes and means of processing its end users' personal data. The Processor processes that data solely to provide the elvix service. The subject matter, duration, nature and purpose of processing, the types of personal data, and the categories of data subjects are set out in Annex 1.

3. Processing on documented instructions (Art. 28(3)(a))

The Processor processes personal data only on the Controller's documented instructions, which comprise this DPA, the Terms, and the Controller's configuration of its application in the Console, unless required to act by EU or Member-State law (in which case the Processor informs the Controller beforehand unless that law prohibits it). The Processor informs the Controller if, in its opinion, an instruction infringes data-protection law. The Processor does not sell end-user data and does not use it for its own purposes.

4. Confidentiality (Art. 28(3)(b))

The Processor ensures that persons authorised to process the personal data are bound by confidentiality and process it only as instructed.

5. Security (Art. 28(3)(c), Art. 32)

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures in force are described in Annex 2 and may be updated as the state of the art evolves, provided the level of protection is not reduced.

6. Sub-processors (Art. 28(2), (3)(d))

The Controller gives general authorisation for the Processor to engage the sub-processors listed in Annex 3, each bound by data-protection obligations no less protective than this DPA. The Processor will inform the Controller of any intended addition or replacement of a sub-processor in good time and give the Controller the opportunity to object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Controller may terminate the affected service.

7. Assistance with data-subject rights (Art. 28(3)(e))

Taking into account the nature of the processing, the Processor assists the Controller with appropriate measures, insofar as possible, to respond to data-subject requests under Chapter III GDPR. elvix provides self-service access, export (machine-readable JSON), correction, and deletion tools that the Controller and its end users can use directly.

8. Assistance with security, breach, and impact assessment (Art. 28(3)(f))

Taking into account the nature of processing and the information available to it, the Processor assists the Controller in ensuring compliance with Articles 32 to 36 GDPR, including breach notification and data-protection impact assessments.

9. Personal data breach (Art. 33)

The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, with the information then available to it, and provides reasonable cooperation so the Controller can meet its own notification duties.

10. Return or deletion (Art. 28(3)(g))

On termination of the service, the Processor deletes or returns the Controller's personal data at the Controller's choice, and deletes existing copies, unless EU or Member-State law requires storage. A reasonable export window is provided before deletion.

11. Audits and information (Art. 28(3)(h))

The Processor makes available to the Controller the information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits, including inspections. Audits may be satisfied by up-to-date documentation or third-party certifications where available, and on-site inspections require reasonable prior notice, confidentiality, and must not disrupt operations or other customers' data.

12. International transfers

Primary processing takes place in Germany. Where a sub-processor in a third country processes personal data, the transfer is governed by the SCCs and, where applicable, the sub-processor's EU-US Data Privacy Framework certification.

13. Liability

Liability under this DPA is governed by Art. 82 GDPR and, to the extent legally permissible, by the limitation-of-liability provisions of the Terms. Nothing in this DPA limits any liability that cannot be limited under applicable law.

14. Term and governing law

This DPA remains in force for as long as the Processor processes personal data on the Controller's behalf. It is governed by the law of the Federal Republic of Germany; the place of jurisdiction is Aachen so far as legally permissible.

Annex 1: Details of the processing

  • Subject matter:provision of the elvix sign-in and identity service to the Controller's application.
  • Duration: the term of the Terms of Service between the parties.
  • Nature and purpose:authentication, identity and profile management, session management, and the related audit trail, on the Controller's instructions.
  • Types of personal data:identifiers (email addresses, name, username, avatar); authentication data (hashes of one-time codes, passkey public keys, OAuth provider account ids and payloads); profile data the data subject chooses to provide (such as phone, date of birth, gender, pronouns, postal addresses, languages, and tax or legal-entity details) to the extent the Controller's application uses it; sign-in audit data (timestamp, coarse country, user-agent); and any custom attributes the Controller stores against its users.
  • Categories of data subjects:the Controller's end users and prospective end users.

Annex 2: Technical and organisational measures (Art. 32)

  • Encryption in transit (TLS) for all connections; encryption at rest for sensitive secrets.
  • One-time codes stored only as hashes; passkeys store only public keys (private keys never leave the user's device).
  • Confidentiality through least-privilege access controls, authentication for operators, and access logging.
  • Integrity through input validation, CSRF protection, and signed webhook delivery.
  • Availability and resilience through managed PostgreSQL with regular backups and tested restore procedures.
  • Pseudonymisation and minimisation: raw IP addresses are reduced to coarse country and discarded; data collection is limited to what the service requires.
  • Regular evaluation through monitoring, audit logging, and dependency scanning.
  • Breach detection and notification of the Controller without undue delay.
  • Soft-deletion and defined retention limits, with deletion of end-user data on request.

Annex 3: Approved sub-processors

  • delvix (Germany): managed PostgreSQL database hosting.
  • Cloudflare, Inc. (USA): DNS, TLS, DDoS protection, CDN, and R2 object storage for images. SCCs.
  • Resend (USA): delivery of transactional email such as sign-in codes. SCCs.
  • Google LLC (USA): identity verification when a data subject chooses Google sign-in, and address autocomplete (Google Maps / Places) where used. SCCs.