Data Processing Agreement (DPA)

pursuant to Art. 28 GDPR · Effective: April 2026 (v1.0)

This is a translation of the German original. In case of any discrepancy between language versions, the German version shall prevail. The binding German version is available at businessnavigator.app/agb.

Preamble

By accepting the Terms of Service, the customer ("Controller") and INREMA Unternehmensberatung GmbH ("Processor") conclude this DPA. It governs the processing of personal data of the Controller's data subjects by the Processor on the Controller's behalf.

§ 1 Subject Matter, Nature, Purpose

Subject: provision of the Business Navigator platform and its activated tools. Nature: collection, storage, structuring, retrieval, display, transmission, deletion. Purpose: provision of booked tools. Duration: for the contractual relationship.

§ 2 Categories of Data Subjects and Data

Data subjects: visitors of the Controller's public tool pages, newsletter subscribers, contact form senders. Categories: IP address (anonymized for analytics), user agent, visit timestamps, click events, email address, message content.

§ 3 Obligations of the Processor

(1) Processes only on documented instructions. (2) Ensures confidentiality of authorized personnel. (3) Implements measures under Art. 32 GDPR (see Annex). (4) Assists with data subject rights. (5) Assists with Arts. 32–36 GDPR compliance. (6) At the Controller's choice, deletes or returns data at end of services. (7) Provides all information for Art. 28 compliance demonstration.

§ 4 Sub-Processors

General consent is given for: DomainFactory GmbH (hosting, DE), Stripe Payments Europe Ltd. (payments, IE), sslout.de (email delivery, DE), AI service provider for BN Business Guide. Equivalent Art. 28 obligations are imposed contractually. Changes are notified; the Controller may object within 30 days.

§ 5 Data Subject Rights

Data subjects assert rights with the Controller. If addressed directly, the Processor forwards without delay. Technical means to fulfill rights (access, portability, erasure) are provided via platform functionality.

§ 6 Data Breaches

The Processor notifies the Controller without undue delay, specifying nature, affected categories and records, likely consequences, measures taken.

§ 7 Data Protection Officer of the Processor

Andreas Rüdiger · datenschutz@businessnavigator.app

§ 8 Term and Termination

Begins with TOS acceptance, runs for the contractual relationship, terminates automatically with the service contract.

§ 9 Liability

Liability follows the Terms of Service and applicable statutory provisions (in particular Art. 82 GDPR).

Annex — Technical and Organizational Measures (TOMs, summary)

Confidentiality: access control (user auth, RBAC, session mgmt, 2FA), physical DC access control, SSH key-only access on Port 2202, fail2ban, UFW firewall. Integrity: TLS 1.2+ only, Argon2id hashing, CSRF tokens, admin action audit logging. Availability & Resilience: daily automated backups (7-day retention), health monitoring, DDoS protection at network layer. Regular testing: periodic security review, testssl.sh audits, unattended-upgrades, annual TOM review. Data minimization & storage limitation: 7-day account deletion, 3-year consent log retention, 10-year invoicing retention, IP anonymization for analytics.

INREMA Unternehmensberatung GmbH · businessnavigator.app · Effective: April 2026 · The German version is legally binding.