Data Processing Agreement (DPA)

This agreement governs the processing of personal data on behalf of the controller in accordance with Art. 28 GDPR.

Version 2025-12-21Effective Date: December 21, 2025

This Data Processing Agreement sets out the terms under which we, as a data processor, process personal data on your behalf.

Parties

Data Controller

Your company (as Data Controller)

Data Processor

David Huh

Lucian-Reich-Str. 16

76473 Iffezheim

Scope and Duration of Processing

Subject Matter of Processing

Operation of the Custodi platform for property and facility management

Duration of Processing

Duration of the contractual relationship

Nature and Purpose of Processing

Storage, processing, and transmission of property, meter reading, and user data

Types of Personal Data

Contact data, authentication data, meter readings, property data, activity logs

Categories of Data Subjects

Controller's employees, customers, property owners

Obligations of the Processor

Processing only according to documented instructions
Obligation to confidentiality
Technical and organizational measures (TOMs)
Use of subprocessors
Support for data subject rights
Deletion and return of data
Documentation and audit

Technical and Organizational Measures (TOMs)

Data Security:

Daily automated backup of databases at the cloud provider (Neon Tech Inc., Germany/Frankfurt). Additionally, regular geo-redundant archiving of critical data on a local storage system at the contractor (Cold Storage).

Encryption:

All data transmissions via HTTPS/TLS 1.3
Passwords hashed with bcrypt
Session tokens encrypted in storage

Access Control:

Role-based access control (RBAC) at organization level
Two-factor authentication (2FA) available
Audit logs for security-relevant events

Data Separation:

Strict multi-tenant separation at database level
Automatic filtering by organization ID
No cross-organization access possible

Backup & Recovery:

Daily automated backups
30-day backup retention
Geo-redundant storage of critical data

List of Subprocessors

An up-to-date list of all subprocessors can be found in our Privacy Policy under the Subprocessors section.

Name	Purpose	Location	Safeguards
Vercel Inc.	Hosting & CDN	Germany (Frankfurt)	Standard Contractual Clauses (SCC)
Neon Tech Inc.	Database Hosting	Germany (Frankfurt)	Standard Contractual Clauses (SCC)
Resend Inc.	Email Service	Ireland	Standard Contractual Clauses (SCC)
Perplexity AI Inc.	AI-powered meter reading analysis	USA	Standard Contractual Clauses (SCC)
Redis Labs Ltd.	Real-time synchronization infrastructure	Germany (Frankfurt)	Standard Contractual Clauses (SCC)
Mapbox Inc.	Address geocoding, map visualization, and location services	Global CDN (EU nodes available)	Standard Contractual Clauses (SCC)
Bright Sky API / Deutscher Wetterdienst (DWD)	Weather data and forecasting services	Germany (DWD Offenbach)	Public sector data provider (DWD is a German federal authority); Server-side API calls only (no client IP addresses transmitted); Coordinates rounded to 2 decimals (~1.1km precision) for data minimization; Data licensed under CC BY 4.0

Last updated: December 21, 2025