Not legal advice. This page is a templated baseline aligned with DSGVO Art. 28 + BDSG-neu. It does not constitute independent legal advice and has not been reviewed by counsel for your specific circumstances. For questions or to request the executed PDF version, email legal@orisinvoice.com.
1. Definitions
"Verantwortlicher" (Controller), "Auftragsverarbeiter" (Processor), "personenbezogene Daten" (Personal Data), "Verarbeitung" (Processing), "betroffene Person" (Data Subject), and other terms have the meanings set out in DSGVO Art. 4 + BDSG-neu. "Customer Personal Data" means Personal Data within Customer Data that we process on your behalf.
2. Roles and instructions (DSGVO Art. 28(3)(a))
You are the Verantwortlicher of Customer Personal Data. We are the Auftragsverarbeiter. We process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required to do so by EU or member-state law (in which case we will inform you of that legal requirement before processing, where allowed by Art. 28(3)(a)).
3. Confidentiality and personnel (DSGVO Art. 28(3)(b))
We ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations under § 53 BDSG-neu and have received appropriate data-protection training. We restrict access on a need-to-know basis governed by role-based access controls.
4. Security measures (DSGVO Art. 32)
We implement appropriate technical and organisational measures (Technische und organisatorische Maßnahmen — TOM), including (a) encryption of data at rest (AES-256-GCM) and in transit (TLS 1.3); (b) regular vulnerability scanning and penetration testing; (c) network segmentation, least-privilege access, and centralised logging; (d) incident detection and response procedures; (e) Hintergrundprüfungen for personnel with production access. Current TOMs are documented in our Security Whitepaper, available on request.
5. Sub-processors (DSGVO Art. 28(2), 28(4))
You authorise us to engage Unterauftragsverarbeiter to provide the service. We maintain a current list and inform you at least 30 days before adding or replacing one (subject to a reasonable objection right under Art. 28(2)). We remain liable to you for the performance of each sub-processor's data-protection obligations under DSGVO Art. 28(4).
6. Data subject rights (DSGVO Art. 28(3)(e))
We assist you in responding to requests from betroffene Personen (Auskunft Art. 15, Berichtigung Art. 16, Löschung Art. 17, Einschränkung Art. 18, Datenübertragbarkeit Art. 20, Widerspruch Art. 21) by providing self-service export tools and, where needed, dedicated processor support. You remain responsible for primary communication with the betroffene Person.
7. Data breach notification (DSGVO Art. 33)
We notify you without undue delay (and in any event within 72 hours of becoming aware) of any Verletzung des Schutzes personenbezogener Daten affecting Customer Personal Data, providing the information you reasonably need to comply with your DSGVO Art. 33 notification obligation to the supervisory authority and, where applicable, your DSGVO Art. 34 obligation to communicate the breach to data subjects.
8. International transfers (DSGVO Chapter V)
Where we transfer Customer Personal Data outside the EEA, we rely on (a) Angemessenheitsbeschlüsse der Europäischen Kommission, or (b) EU Standardvertragsklauseln (SCCs 2021/914) plus a documented Transfer Impact Assessment per Schrems II, or (c) another lawful transfer mechanism under DSGVO Art. 46. Specific transfer details are in our sub-processor list.
9. Audits (DSGVO Art. 28(3)(h))
You may audit our compliance with this AVV, on reasonable notice and at your cost, no more than once per 12 months (or following a Personal Data Breach). We will provide our SOC 2 Type II report, ISO 27001 certificate, and (when complete) BSI C5 attestation to satisfy most audit requirements without on-site visits, where you accept these as adequate.
10. Return or deletion of data (DSGVO Art. 28(3)(g))
On termination of the service, we will (at your election) return Customer Personal Data to you in a structured machine-readable format and/or delete it from our systems (subject to backup retention up to 35 days and the 10-year statutory retention under § 147 AO applicable to invoices).
11. Liability and conflicts
This AVV forms part of, and is subject to, our Terms of Service. In the event of any conflict between this AVV and the Terms, this AVV prevails on data-protection matters. Liability under this AVV is subject to the limitations in the Terms, except where DSGVO or BDSG-neu mandate otherwise.
12. Effective date
This AVV is effective as of the date you accept the Terms of Service or sign a separate order form referencing it. We may update this AVV from time to time; material changes are notified at least 30 days in advance.