Data Processing Agreement (DPA)

For customers who upload personal data of their clients into Aisthetix, we sign a Data Processing Agreement under Art. 28 GDPR. A ready-to-sign contract is provided on request; signing the DPA before the first processing operation is required.

What the DPA covers

• Subject and duration of processing (tied to the term of the master contract).
• Nature and purpose of processing — formal compliance validation of client data against GDPR, GoBD and § 203 StGB criteria.
• Types of personal data and categories of data subjects — typically client records (name, address, IBAN, Steuer-ID, and optionally employee data).
• Obligations and rights of the controller (customer) and processor (Aisthetix).
• Technical and organisational measures (TOMs) as an annex — see docs/toms.md.
• Approved sub-processors (Hetzner, Vercel, Resend) and procedure for changes.
• Incident-response procedure, handling of data-subject requests, and deletion obligations on contract end.
• Third-country transfer agreement — Standard Contractual Clauses under Art. 46(2)(c) GDPR for Resend (US) and Vercel (US).

Request the DPA

Send a short email to hallo@aisthetix.de with your company name and the desired effective date. You will receive a ready-to-sign DPA as a signed PDF within one business day.

Related documents

• Privacy policy — overview of every sub-processor and retention period.
• Terms & conditions — master contract.

Effective: May 2026 · Aisthetix · hallo@aisthetix.de