Data Processing Agreement (DPA)
Draft pending legal review
Where REGOLIO processes personal data on behalf of a business customer (controller), a Data Processing Agreement under Art. 28 GDPR applies. The binding version is the German "Auftragsverarbeitungs- vertrag (AVV)". This English page is an informational summary; the German version prevails.
Summary
The DPA covers: subject matter, nature and purpose of processing; categories of data and data subjects; processor obligations (processing on documented instructions, confidentiality, security); the list of sub-processors (see below); technical and organisational measures under Art. 32 GDPR; assistance with data-subject rights and breach notification; audit rights; and deletion or return of data after termination.
Sub-processors
Tier A (always engaged, external recipients): Hetzner in Germany for hosting, storage and backups; Coolify and Traefik in Germany for deployment and reverse-proxy; Mollie in the Netherlands for payments; and Resend, Inc. (USA — EU-US DPF if actively listed, otherwise SCC Module 2 (2021/914) plus TIA) as email provider for transactional email. n8n (orchestration, being phased out), Ollama, Presidio, MinIO, Zitadel and PostgreSQL are self-hosted components, not external Art. 28 recipients.
Tier B (conditional, off by default, per-tenant opt-in only): cloud LLM providers are engaged only if a tenant explicitly enables one via the AIRequestPolicy or BYOK. The default policy disables cloud LLM and BYOK with an empty allowlist, so the default path runs locally on Ollama with no cloud egress and no third-country transfer. When enabled, outbound content is first pseudonymised by the fail-closed Presidio guard and then gated by a provider allowlist, per-tenant budget and audit. For a non-EU cloud provider the transfer relies on the EU-US Data Privacy Framework where the exact entity is actively DPF-listed, otherwise on the 2021 Standard Contractual Clauses, Module 2 (Commission Decision 2021/914), together with a transfer impact assessment and supplementary measures (Presidio pseudonymisation).
Technical and organisational measures
TOMs are derived from the actually implemented architecture: TLS in transit; Fernet field-level encryption at rest; schema-per-tenant isolation plus row-level security per customer; Presidio pseudonymisation before any cloud LLM call (local Ollama by default, no third-country transfer); append-only audit logs; daily encrypted backups; mandatory human approval for write/irreversible AI actions.
Authoritative version
Please refer to the binding German agreement: Auftragsverarbeitungsvertrag (AVV).
Last updated: 2026-06-20. Produced via the REGOLIO legal three-pass
workflow (audit trail under docs/legal/_drafts/).