Data Processing Agreement
Stan na: April 2026
§ 1 Subject and Duration
This Data Processing Agreement (DPA) governs the processing of personal data by AfterCost (Processor) on behalf of the Customer (Controller) within the AfterCost SaaS platform pursuant to Art. 28 GDPR.
The term of this DPA is tied to the main contract (Terms of Service). It ends automatically upon termination of the use of the AfterCost platform.
§ 2 Purpose of Processing
The processing of personal data is carried out exclusively for the following purposes:
- Operation of the SaaS platform (profit tracking for marketplace sellers)
- User account management and authentication
- Synchronization and analysis of business data via the Kaufland Seller API
- Transactional emails (registration, password reset, notifications)
§ 3 Types of Personal Data
The following categories of personal data are processed:
- Email addresses of account users
- Names of account users
- Company names
- Usage data (login times, pages visited)
- Technical data (IP addresses in server logs)
End-customer data (names, addresses, contact details of buyers) is neither collected nor stored. AfterCost exclusively processes aggregated order data (revenues, fees, returns) without personal reference to end customers.
§ 4 Categories of Data Subjects
Employees and representatives of the Controller who have access to the AfterCost platform (account owners, team members, invited users).
§ 5 Obligations of the Controller
The Controller is responsible for the lawfulness of data processing. The Controller issues all instructions regarding the processing of personal data, ensures compliance with the principle of data minimization, and informs data subjects about the processing pursuant to Art. 13/14 GDPR.
§ 6 Obligations of the Processor
(1) Instruction binding. AfterCost processes personal data exclusively on documented instructions from the Controller, unless processing is required under Union or Member State law.
(2) Confidentiality. All persons with access to personal data are bound to confidentiality.
(3) Technical and organizational measures. AfterCost implements the measures described in § 9 for the protection of personal data.
(4) Data subject rights. AfterCost assists the Controller in fulfilling data subject rights (access, rectification, erasure, restriction, portability, objection).
(5) Data protection impact assessment. AfterCost assists the Controller in conducting a DPIA where required.
(6) Deletion. Upon termination of the main contract, personal data is deleted in accordance with Terms § 7, unless a statutory retention obligation exists.
§ 7 Sub-processors
The Controller grants general authorization for the use of sub-processors. AfterCost informs of any changes with a 14-day notice period. In case of legitimate objection, a special right of termination exists.
Currently engaged sub-processors:
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Database, Authentication | EU (Frankfurt) | DPA, SOC 2 |
| Vercel Inc. | Hosting, CDN | EU (Frankfurt) | DPA, SOC 2 |
| Stripe Inc. | Payment processing | Ireland/USA | DPA, EU-US DPF |
| Resend | Transactional emails | USA (Processing: EU region Ireland) | DPA, EU-US DPF |
| Sentry (Functional Software Inc.) | Error monitoring | USA (Processing: EU region Frankfurt) | DPA, EU-US DPF |
| Hetzner Online GmbH | API server (VPS) | DE (Nuremberg) | DPA, ISO 27001 |
| Cloudflare Inc. | DNS, CDN, email routing | USA/EU | DPA, EU-US DPF, SCC |
| Axiom Inc. | Log aggregation | USA | DPA, EU-US DPF |
§ 8 Audit Rights
The Controller has the right to request information on compliance with this DPA annually. On-site audits are possible with a 30-day notice period and are conducted during regular business hours.
§ 9 Technical and Organizational Measures (TOMs)
Confidentiality
- TLS 1.2+ for all data transfers, AES-256 encryption at rest
- Row-Level Security (RLS) at database level, JWT-based authentication
- Role concept: Owner/Admin/Member with least-privilege principle
- MFA for all admin access (Vercel, Supabase, GitHub)
- Secrets in environment variables, no hardcoding in source code
Availability and Recovery
- Serverless hosting with auto-scaling and DDoS protection
- Automatic daily database backups
- Point-in-time recovery
- Git versioning of all deployments, rollback possible at any time
Regular Review
- Dependency checks via npm audit and Dependabot
- Regular security updates of all dependencies
§ 10 Notification of Data Breaches
AfterCost reports any personal data breach without undue delay, no later than 48 hours after becoming aware of it, to the Controller. The notification includes the nature of the breach, affected data categories, estimated number of affected persons, and countermeasures taken. AfterCost assists in fulfilling the authority notification obligation pursuant to Art. 33 GDPR.
§ 11 Liability
Liability is governed by Art. 82 GDPR. Each controller or processor involved in processing is liable for damage caused by non-GDPR-compliant processing. Otherwise, the liability provisions of the Terms of Service apply.
§ 12 Third-Country Transfers
Where sub-processors in third countries (USA) are used, the transfer is based on the EU-US Data Privacy Framework (DPF). As a fallback, Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR are agreed. Primary data storage takes place in EU data centers (Frankfurt).
§ 13 Final Provisions
This DPA is governed by German law. Amendments and additions require written form. Should individual provisions be or become invalid, the validity of the remaining provisions shall remain unaffected (severability clause).