Ensight – Data Processing Agreement (DPA)

Note: This is an informal English translation for reference only. The German version is legally binding.

Parties

Controller (hereinafter "Client"):
The customer whose data is processed within the Ensight subscription.

Processor (hereinafter "Provider"):
Entropy Software & Consulting, Bastian Entrup, Mühlenstieg 19, 37181 Hardegsen

§ 1 Subject Matter and Duration of Processing

(1) The subject of this agreement is the processing of personal data by the Provider in connection with the provisioning and operation of the software Ensight DMS — a digital document management system for automated capture, analysis, archiving, and search of business documents (in particular incoming invoices and receipts).

(2) Processing begins upon conclusion of the main contract and ends upon its termination, unless this DPA contains deviating provisions.

§ 2 Nature and Purpose of Processing

Personal data is processed exclusively for the purpose of providing the contractually agreed services:

Document capture: Receipt and storage of invoices, receipts, and business documents (upload, email import)
AI-assisted data extraction: Automatic extraction of structured data (merchant name, address, amount, date, IBAN, line items) from documents using large language models
Archiving and indexing: Storage of documents and metadata in encrypted databases; full-text indexing for search queries
Approval workflow: Support for manual review and approval of incoming documents
Export: Provision of documents and metadata in ZIP/CSV format

Processing for purposes other than those stated is not permitted.

§ 3 Categories of Personal Data

Category	Examples
Contact and identification data	Name, company, address of suppliers, customers
Financial data	Invoice amounts, tax numbers, IBAN, payment references
Communication data	Email address (for email import), subject lines
Contract data	Order numbers, customer numbers, service descriptions
Metadata	Upload timestamps, file hash values, version information

Special categories of personal data within the meaning of Art. 9 GDPR are not processed as a matter of principle. Should such data exceptionally be contained in transmitted documents, responsibility for the legal basis lies with the Client.

§ 4 Categories of Data Subjects

Suppliers and service providers of the Client
Customers of the Client
Employees of the Client (where mentioned in documents)
Other third parties appearing in processed documents

§ 5 Instructions

(1) The Provider processes personal data exclusively on documented instructions from the Client, unless required by Union or Member State law to process otherwise.

(2) Instructions are generally given through the main contract, its annexes, and in writing or text form (email).

(3) If the Provider considers that an instruction infringes the GDPR, it shall immediately inform the Client and is entitled to suspend execution pending clarification.

(4) Verbal instructions are confirmed in writing without delay.

§ 6 Confidentiality

(1) The Provider ensures that persons authorized to process data are committed to confidentiality or are subject to an appropriate statutory obligation of secrecy.

(2) The Provider regularly trains its staff on data protection and information security matters.

§ 7 Technical and Organizational Measures (TOMs)

The Provider implements the following technical and organizational measures pursuant to Art. 32 GDPR. Material changes will be communicated to the Client in advance.

1. Physical Access Control

Server infrastructure exclusively at Hetzner Online GmbH (ISO 27001, data center Germany)
Physical access is solely managed by Hetzner; the Provider has no own server room

2. System Access Control

SSH access exclusively via public key authentication; password authentication disabled
UFW firewall: Only ports 22 (SSH), 80 (HTTP redirect), and 443 (HTTPS via Traefik) are publicly accessible
JWT authentication: All API requests require a short-lived bearer token (valid for 1 hour)
The DAL service is accessible only within the internal Docker network
Separate JWT secrets and database passwords per tenant

3. Data Access Control

Network segmentation: PostgreSQL, MinIO, and OpenSearch are accessible only within the internal Docker network
Database access only via the DAL proxy; no direct external database access
Separate database passwords and MinIO credentials per tenant (256-bit entropy)

4. Data Separation Control

Each tenant receives a dedicated Docker network (tenant-<slug>)
Each tenant receives a dedicated PostgreSQL database with its own database user and password
Each tenant receives a dedicated MinIO bucket and OpenSearch index
All secrets are generated individually per tenant and not shared across tenants

5. Pseudonymization

Documents are stored under a SHA-256 hash of the file content as the primary deduplication key

6. Encryption / Transmission Security

External: All connections between end users and the server via TLS 1.2+ through Traefik; Let's Encrypt certificates are automatically issued and renewed
Internal: Communication between services via isolated Docker networks
Data at rest: Server-side disk encryption by Hetzner per their security policies
Private keys are stored exclusively locally with the Provider and not in version control

7. Availability and Backup

Docker services with restart: unless-stopped; systemd unit for automatic start after server reboot
Backup frequency: Automated daily full backup of all tenant data, daily at approx. 03:00 UTC
Backup content: Complete PostgreSQL database (compressed SQL dump) and all stored documents (MinIO bucket)
Backup location: Hetzner Object Storage, Germany — physically separate from the production server
Retention: 90 days; older backups are automatically deleted
Integrity: Each backup includes SHA-256 checksums of all files

8. Resilience

Failure or compromise of one tenant does not affect other tenants due to network and data separation
Recovery time (RTO) in case of server failure: approx. 15–30 minutes for infrastructure, plus data restoration time

9. Recovery

Target RPO (Recovery Point Objective): max. 24 hours (last daily backup)
The OpenSearch search index can be fully rebuilt from primary data

10. Evaluation Procedures

Deployment scripts under version control (Git)
Application logs available via docker compose logs
Regular review of security measures, at least annually

11. Organizational Measures

Commitment of all staff with data access to confidentiality
Use of separate SSH keys per authorized person
Incident response: Upon awareness of a data breach, immediate internal escalation and notification of the Client within 24 hours

§ 8 Sub-Processors

(1) The Provider uses the following sub-processors, to which the Client generally consents by concluding this DPA:

#	Company	HQ	Processing location	Purpose
1	Hetzner Online GmbH	Gunzenhausen, Germany	Germany (Nuremberg / Falkenstein)	Server infrastructure, hosting, backup storage
2	Anthropic, Inc.	San Francisco, USA	USA ¹	AI extraction of document content via Claude API

¹ Third-country transfer (Anthropic): Transfer to the USA is based on EU Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914. Anthropic does not use transmitted document content for training AI models (per Anthropic's API usage policy).

(2) The Provider will inform the Client of intended changes to sub-processors at least 30 days in advance. The Client may object for documented good cause.

(3) The Provider imposes the same data protection obligations on sub-processors as agreed between the parties.

§ 9 Assistance to the Client

(1) The Provider assists the Client in fulfilling its obligations under Art. 32–36 GDPR through appropriate technical and organizational measures, where possible.

(2) The Provider assists the Client in responding to requests from data subjects (access, rectification, erasure, data portability, objection).

(3) For assistance beyond the contractually agreed scope, the Provider may charge reasonable compensation.

§ 10 Reporting Data Breaches

(1) The Provider reports personal data breaches to the Client without undue delay, at most within 24 hours of becoming aware.

(2) The notification contains at minimum: the nature of the breach, the categories and approximate number of data subjects and records affected, likely consequences, and remedial measures taken.

(3) Notification is made to the Client's designated contact by email.

§ 11 Deletion and Return of Data

(1) After termination of the main contract, the Provider deletes all personal data of the Client. Deletion includes: PostgreSQL database, MinIO bucket, OpenSearch index, and backups after expiry of the 90-day retention period.

(2) The Provider confirms deletion in writing within 30 days of contract termination, on request.

§ 12 Evidence, Controls, and Audits

(1) The Provider makes all information necessary to demonstrate compliance with Art. 28 GDPR obligations available to the Client.

(2) The Provider allows audits with at least 14 days' notice. Audits must not disproportionately impair ongoing operations and are limited to data protection-relevant aspects.

(3) The Provider may present equivalent evidence (e.g. ISO 27001 or SOC 2 certifications) in lieu of an on-site audit.

§ 13 Liability

Liability between the parties is governed by the provisions of the main contract (ToS) and the statutory provisions of the GDPR, in particular Art. 82 GDPR.

§ 14 Final Provisions

(1) This DPA is part of the main contract and follows its fate. In case of conflict between DPA and ToS, the DPA takes precedence.

(2) Amendments require text form. German law applies. Place of jurisdiction is, to the extent permitted by law, the Provider's registered office.

Entropy Software & Consulting · Bastian Entrup · Mühlenstieg 19 · 37181 Hardegsen
Email: info@entropy-zero.de
As of: May 2026