Dumpstera.org

Data Processing Agreement (DPA)

Pursuant to Art. 28 GDPR · As of June 7, 2026

Preamble

This Data Processing Agreement ("DPA") specifies the data protection obligations of the contracting parties arising from the user agreement existing between them regarding the Dumpstera platform (the "Main Agreement"). It applies to all activities in which employees of the processor or sub-processors engaged by the processor come into contact with the controller's personal data.

§ 1 Parties

Processor:
Zepia UG (haftungsbeschränkt)
Tölzer Str. 5, 81379 Munich, Germany
represented by the Managing Director Felix Bauerdorf
Email: info@dumpstera.org

Controller: the customer using the Dumpstera platform on the basis of the Main Agreement.

§ 2 Subject Matter and Duration of Processing

  1. The subject matter of processing is the provision of the SaaS platform Dumpstera for organizing, analyzing and managing invoices and other documents of the controller.
  2. The duration of processing corresponds to the term of the Main Agreement. It ends with its termination, unless statutory retention periods apply.

§ 3 Nature and Purpose of Processing

The processor processes personal data exclusively to perform the contractually owed services, in particular:

  • Storage and management of uploaded documents
  • Receiving and processing invoices via email
  • Automated extraction and analysis of invoice data (including AI processing)
  • Provision of reports, exports and dashboards
  • Authentication and user management
  • Operation, maintenance and support of the platform

§ 4 Type of Data

  • Master data (name, address, company name)
  • Contact data (email address, phone number where applicable)
  • Login and authentication data
  • Invoice and accounting data (amounts, tax rates, line items)
  • Content of uploaded documents
  • Usage and metadata (log data, timestamps, IP addresses)

§ 5 Categories of Data Subjects

  • Users and employees of the controller
  • Customers, suppliers and business partners of the controller
  • Other persons named in the processed documents

§ 6 Obligations of the Processor

  1. The processor processes personal data only within the scope of the Main Agreement, this DPA and on documented instructions from the controller.
  2. The processor ensures that persons authorized to process the data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
  3. The processor takes all required technical and organizational measures pursuant to Art. 32 GDPR (see § 9).
  4. The processor assists the controller in fulfilling data subjects' rights (Art. 12–23 GDPR) and in complying with the obligations under Art. 32–36 GDPR.
  5. The processor will inform the controller without undue delay if it considers that an instruction violates applicable data protection law.
  6. The processor designates a responsible point of contact for data protection inquiries: info@dumpstera.org.

§ 7 Obligations of the Controller

  1. The controller is the controller within the meaning of Art. 4(7) GDPR for the processing of data by the processor.
  2. The controller is obliged to ensure all necessary consents and legal bases for processing.
  3. The controller will inform the processor without undue delay if it identifies errors or irregularities in the results of the processing.

§ 8 Sub-Processors

  1. The controller grants the processor a general authorization to engage further processors (sub-processors).
  2. A current list of engaged sub-processors is available upon request.
  3. The processor informs the controller of any intended changes regarding the addition or replacement of sub-processors. The controller may object to such changes within 30 days for good cause.
  4. The processor contractually obliges each sub-processor to data protection obligations corresponding to those agreed here.
  5. For transfers to third countries, the processor ensures appropriate safeguards pursuant to Art. 44 et seq. GDPR (in particular EU Standard Contractual Clauses).

§ 9 Technical and Organizational Measures (TOMs)

The processor takes the following measures to ensure a level of protection appropriate to the risk pursuant to Art. 32 GDPR:

  • Confidentiality: Encrypted data transmission (TLS 1.2+), access controls, role-based permissions, multi-factor authentication for administrators.
  • Integrity: Input control through logging, protection against unauthorized modification through row-level security and permission system.
  • Availability: Regular backups, redundant storage, recovery procedures, monitoring.
  • Resilience: Hosting in certified EU data centers, protection against DDoS and abuse.
  • Pseudonymization & encryption: Encrypted storage of sensitive data (encryption at rest), password hashing.
  • Review procedures: Regular review, assessment and evaluation of the effectiveness of the TOMs.

§ 10 Notification Obligations for Data Breaches

The processor informs the controller without undue delay of any personal data breach that becomes known to it. The notification includes at least the information specified in Art. 33(3) GDPR.

§ 11 Audit and Information Rights

  1. The processor demonstrates compliance with the obligations set out in this DPA upon request of the controller.
  2. The controller is entitled to verify compliance with the TOMs, as a rule by means of suitable evidence (e.g. certificates, audit reports of sub-processors).
  3. On-site inspections take place with reasonable advance notice, during normal business hours and without disrupting operations.

§ 12 Deletion and Return of Data

After termination of the Main Agreement, the processor deletes or returns all personal data at the controller's choice, unless a statutory retention obligation exists. The deletion is documented upon request.

§ 13 Liability

The liability of the parties is governed by the provisions of the Main Agreement and Art. 82 GDPR.

§ 14 Final Provisions

  1. German law applies under exclusion of the UN Convention on Contracts for the International Sale of Goods.
  2. Should individual provisions of this DPA be invalid, this shall not affect the validity of the remaining provisions.
  3. Amendments and supplements to this DPA require text form. This also applies to amending this text form clause.
  4. In the event of contradictions between this DPA and the Main Agreement, the provisions of this DPA prevail.

Conclusion of the DPA

By using the Dumpstera platform, the controller accepts this DPA. Upon request, the processor will provide a signed version. Please direct related inquiries to info@dumpstera.org.