Data Processing Agreement (DPA)
Pursuant to Art. 28 GDPR · Naturkompass Widget & ESG · As of: May 2026
This DPA is deemed agreed upon as soon as a business customer uses Naturkompass Widget or Naturkompass ESG and personal data (e.g. employee or contact person data) is processed in that context. An individually signed version can be provided on request: hallo@gartenexpedition.de.
§ 1 Subject Matter and Duration
This Data Processing Agreement (DPA) governs the processing of personal data by the processor (Alexander Göcke, Gartenexpedition, Fellackerstr. 4a, 47495 Rheinberg, Germany — hereinafter "Provider") on behalf of the controller (the customer — hereinafter "Client") in connection with the use of Naturkompass Widget and/or Naturkompass ESG.
This DPA applies for the duration of the main contract (B2B Terms of Service) and terminates upon its conclusion, unless statutory retention obligations apply.
§ 2 Nature, Scope, and Purpose of Processing
The Provider processes personal data exclusively on documented instructions from the Client. The nature, scope, and purpose depend on the respective service:
- Naturkompass Widget: Processing of API key metadata and technical usage logs (IP hashes, timestamps, slugs) for quota calculation, licence management, and security.
- Naturkompass ESG: Processing of company data, contact details of assigned users, property data, plant lists, score snapshots, and certification metadata on behalf of the Client for calculating and displaying biodiversity scores.
- Support and communication: Processing of contact details in the context of support requests, contract correspondence, and technical assistance.
Categories of data subjects: employees and contact persons of the Client, technical users (admin accounts).
Categories of personal data: name, email address, role/function, technical identifiers (API key hash, IP hash), usage logs.
§ 3 Client's Right to Issue Instructions
The Provider processes personal data solely in accordance with the Client's documented instructions. This DPA and the B2B Terms of Service constitute such instructions. Additional instructions may be issued by email to hallo@gartenexpedition.de.
If the Provider considers an instruction to be in breach of data protection law, it shall immediately inform the Client. The Provider is entitled to suspend execution of the instruction in question until the matter is clarified.
§ 4 Technical and Organisational Measures (TOMs)
The Provider implements appropriate technical and organisational measures in accordance with Art. 32 GDPR, including in particular:
- Encryption of data transmission via HTTPS/TLS
- Row Level Security (RLS) in the database — users can only access their own data
- SHA-256 hashing of API keys — plaintext keys are not stored persistently
- Access restrictions: database access only via authenticated API endpoints
- Rate limiting and abuse protection at API level
- Regular security reviews and dependency updates
- Production data access limited to necessary roles (need-to-know principle)
A detailed description of the TOMs can be provided on request.
§ 5 Use of Sub-processors
The Provider uses the following sub-processors, to which general authorisation is hereby granted. The Client will be notified of material changes and has the right to object:
| Provider | Purpose | Location / Safeguard |
|---|---|---|
| Vercel Inc. | Hosting / CDN / Edge | USA · DPF / SCCs |
| Supabase Inc. | Database / Auth | USA · SCCs · EU region |
| Cloudflare Inc. | CDN / R2 storage / DDoS protection | USA · DPF / SCCs |
| Upstash Inc. | Redis cache / rate limiting | USA · SCCs · EU region |
| Stripe Inc. | Payment processing | USA · DPF / SCCs |
| Sendinblue SAS (Brevo) | Email delivery | France · EU |
| Google LLC | AI (Gemini Vision) | USA · DPF / SCCs |
DPF = EU–U.S. Data Privacy Framework · SCCs = EU Standard Contractual Clauses
§ 6 Assistance to the Client
The Provider shall assist the Client, to the extent technically feasible, in fulfilling data subject rights (access, rectification, erasure), conducting data protection impact assessments, prior consultations, and reporting personal data breaches pursuant to Art. 33/34 GDPR.
§ 7 Personal Data Breaches and Notification
The Provider shall notify the Client without undue delay — and no later than 72 hours after becoming aware — of any personal data breach affecting the data processed under this DPA. The notification shall include, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed.
§ 8 Deletion and Return of Data
Upon termination of the main contract, the Provider shall — at the Client's choice — delete or return all personal data processed on the Client's behalf, unless statutory retention obligations require otherwise.
The Client may at any time request deletion or transfer of their data by email.
§ 9 Audit Rights and Evidence
The Provider shall make available to the Client all information necessary to demonstrate compliance with the obligations set out in Art. 28 GDPR. The Client is entitled to conduct audits and inspections, or to commission auditors to do so — subject to reasonable prior notice and confidentiality obligations.
§ 10 Final Provisions
This DPA forms part of the B2B Terms of Service. German law applies. Amendments require text form. Should any individual provisions be invalid, the validity of the remaining provisions shall not be affected.
For questions, individual signing, or amendments: hallo@gartenexpedition.de