Data Processing Agreement (DPA)

pursuant to Art. 28 General Data Protection Regulation (GDPR) | As of: February 2026

Preamble

The Client (user of the Aufmaß App, hereinafter "Controller") engages the Service Provider (Meister Weber, Andreas Weber, hereinafter "Processor") to process personal data within the meaning of Art. 4 No. 2 GDPR. This agreement governs the rights and obligations of the parties in connection with this processing pursuant to Art. 28 GDPR.

§ 1 – Subject Matter and Duration of Processing

The subject matter of the order processing is the provision of the Aufmaß App as a SaaS service (Software-as-a-Service), through which the Controller processes personal data of their customers (end customers, clients, building owners).

Processing takes place for the duration of the usage contract. After contract termination, data will be deleted or returned pursuant to § 9 of this agreement.

§ 2 – Nature and Purpose of Processing

Category	Details
Nature of processing	Collection, storage, transmission, structuring, retrieval, use, deletion of personal data in the context of app use
Purpose	Measurement recording, project documentation, file export (PDF, Excel), transmission to ERP systems (e.g., FenOffice NG, Klaes, Cobus Adulo, MFR, Odoo) on behalf of and pursuant to the Controller's instructions
Categories of data subjects	Customers and business partners of the Controller (building owners, end customers, clients)
Categories of personal data	Name, address, contact details (phone, email), project data, address and building data, photographs of buildings/objects
Special categories	None (no processing of special categories pursuant to Art. 9 GDPR intended)

§ 3 – Obligations of the Processor

The Processor undertakes in particular to:

Process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law; in such a case, the Processor shall inform the Controller of that legal requirement before processing.
Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28 (3)(b) GDPR).
Implement all measures required pursuant to Art. 32 GDPR (see § 7 of this agreement).
Respect the conditions referred to in § 4 for engaging sub-processors.
Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR.
Assist the Controller in ensuring compliance with the obligations pursuant to Art. 32–36 GDPR.
At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services and delete existing copies unless Union or Member State law requires storage.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

§ 4 – Sub-processors (Art. 28 (2) GDPR)

The Processor is authorised to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.

Currently engaged sub-processors:

all-inkl.com – Neue Medien Münnich (Web Hosting)

Owner: René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany

Privacy: all-inkl.com/datenschutzinformationen/

Purpose: Hosting of the marketing website (aufmass-app.com) – server location: Germany (EU)

Legal basis: Art. 28 GDPR – DPA concluded with all-inkl.com

OpenAI, LLC (only when AI functions are used)

3180 18th Street, San Francisco, CA 94110, USA

Purpose: AI-assisted text recognition and image analysis (only when using the corresponding optional app functions)

Transfer mechanism: Standard Contractual Clauses (Art. 46 (2)(c) GDPR)

Google LLC (only when AI functions are used)

1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Purpose: AI-assisted data analysis (Gemini API, only when using the corresponding optional app functions)

Transfer mechanism: Standard Contractual Clauses (Art. 46 (2)(c) GDPR)

§ 5 – Controller's Right to Issue Instructions

Processing of personal data takes place solely on the basis of the Controller's documented instructions. The basic instructions are set out in this agreement (§ 2). Further individual instructions may be issued in writing or in text form (e.g., by email).

The Processor shall immediately inform the Controller if it considers that an instruction infringes the GDPR or other data protection provisions.

§ 6 – Obligations of the Controller

The Controller bears responsibility for the lawfulness of the data processing. The Controller undertakes in particular to:

Ensure that an appropriate legal basis exists for the processing of personal data of their customers entered into the app.
Immediately inform the Processor upon discovering errors or irregularities when reviewing the instructions.
Inform their customers (data subjects) about the transfer of their data to the Processor within the Controller's own privacy policy.

§ 7 – Technical and Organisational Measures (TOMs, Art. 32 GDPR)

The Processor implements the following technical and organisational measures to protect personal data:

Confidentiality

Access control (password-protected accounts)
Access only for authorised personnel
Encryption of data transmission (TLS/SSL)

Integrity

Access logging
Input control (validation)
Transmission encryption

Availability

Regular data backups
Backup retention: 90 days
Server location: EU

Resilience / Recovery

App offline capability (PWA)
Incident recovery procedure
Regular review of measures

§ 8 – Notification Obligations in Case of Data Breaches (Art. 33, 34 GDPR)

The Processor shall assist the Controller in fulfilling its obligations pursuant to Art. 33 and 34 GDPR (notification obligations in the event of personal data breaches). The Processor shall notify the Controller of personal data breaches without undue delay, and at the latest within 48 hours of becoming aware, by email to the address registered in the account.

The notification shall include at minimum: the nature of the breach, the categories of data affected, the number of data subjects affected, and the remedial measures taken.

§ 9 – Deletion and Return after Contract End

After termination of the usage contract or upon request by the Controller, all personal data processed on the Controller's behalf will be handled as follows:

Upon the Controller's request: handover in a machine-readable format (e.g., JSON, CSV, PDF export) within 30 days of request.
Subsequent deletion from active systems within 30 days of contract end or after handover.
Deletion from backup systems within 90 days of active deletion.
Statutory retention obligations of the Processor remain unaffected (e.g., accounting records from billing).

§ 10 – Contact

Processor (contact for data protection matters):

Meister Weber, Andreas Weber

Hauptstraße 25, 36157 Ebersburg, Germany

Email: andreas@meister-weber.de

Phone: +49 6656 432 9807

§ 11 – Final Provisions

This DPA is governed by the laws of the Federal Republic of Germany. Should any provision be invalid, the validity of the remaining provisions shall remain unaffected. Amendments to this DPA require text form. In the event of conflicts between this DPA and the T&Cs, this DPA shall take precedence with regard to data protection matters.

This DPA is deemed concluded upon conclusion of the usage contract (activation of a paid account) and has been entered into in written form in electronic format pursuant to Art. 28 (3) GDPR.