Data Processing Agreement Auftragsverarbeitungsvertrag Veri İşleme Sözleşmesi
Article 28 GDPR · Last updated: July 15, 2026 Art. 28 DSGVO · Zuletzt aktualisiert: 15. July 2026 GDPR Md. 28 · Son güncelleme: 15.07.2026
1. Parties and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between:
- Controller: the Customer (you), the e-commerce seller subscribing to the Service.
- Processor: Ahsen Supply GmbH, operator of the AUX Fulfillment platform.
This DPA governs the processing of personal data by the Processor on behalf of the Controller.
2. Subject Matter and Duration
The Processor processes personal data on behalf of the Controller for the duration of the Service subscription, in order to provide order management, inventory sync, shipping label generation, and storefront services.
3. Nature and Purpose of Processing
Processing activities include:
- Receiving order data from marketplaces (Amazon, eBay, Otto) via authorized APIs.
- Generating and printing shipping labels via carrier APIs.
- Sending status updates and confirmations to end customers (where authorized).
- Storing transactional records for tax and audit purposes.
- Hosting and operating the Controller's storefront, if used.
4. Types of Personal Data
- Identity data: full name, business name.
- Contact data: postal address, phone number, email address.
- Order data: order numbers, items, quantities, prices.
- Marketplace identifiers: buyer IDs, seller-internal references.
- Technical metadata: timestamps, IP addresses (for security logging).
5. Categories of Data Subjects
- End customers (buyers) on connected marketplaces.
- End-of-line consumers visiting the Controller's storefront.
- Authorized personnel of the Controller (staff accounts).
6. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions of the Controller, including with regard to transfers to a third country.
- Ensure that authorized personnel are bound by confidentiality (NDA or statutory).
- Implement technical and organizational measures pursuant to Art. 32 GDPR (see Annex A).
- Assist the Controller with data subject rights requests (Art. 12-22 GDPR) within reasonable timeframes.
- Assist the Controller with notifications under Art. 33 (breach notification) and Art. 35 (DPIA).
- Delete or return all personal data after end of services, except where Union or Member State law requires storage.
- Make available all information necessary to demonstrate compliance and allow for audits.
7. Sub-Processors
The Controller authorizes the Processor to engage the following sub-processors:
- Hetzner Online GmbH (Germany) — infrastructure hosting, backups.
- Amazon Services Europe S.à.r.l. (Luxembourg) — marketplace data API.
- eBay GmbH (Germany) — marketplace data API.
- Otto GmbH & Co KG (Germany) — marketplace data API.
- DHL Paket GmbH, Hermes Germany GmbH, UPS, FedEx — shipping label generation.
- Sentry (Functional Software, Inc.) — error monitoring (EU region, PII scrubbing).
- Email delivery provider (e.g., Postmark / Mailgun, EU region) — transactional emails.
The Processor will notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, giving the Controller the opportunity to object.
8. International Transfers
All processing is performed within the EU/EEA. If any sub-processor processes data outside the EU/EEA, transfers are governed by the Standard Contractual Clauses (SCC) adopted by the European Commission (Decision 2021/914) and supplementary measures where required.
9. Security Measures (Annex A)
The Processor implements at minimum:
- Encryption: AES-256 at rest, TLS 1.2+ in transit.
- Pseudonymization where feasible (e.g., for analytics).
- Access control: role-based access, MFA for all admin accounts, 12-character minimum passwords, 90-day rotation.
- Network security: VPC, firewalls, IP whitelisting for admin, IDS/IPS.
- Logging: centralized, immutable logs (90-day retention), automated anomaly detection.
- Backup: daily encrypted backups, geographically separate EU location, 30-day rolling retention.
- Vulnerability management: quarterly scans, annual penetration tests, SAST/DAST in CI/CD.
- Incident response: documented IR plan, IMPOC reachable 24/7, 72-hour breach notification to controllers.
- Personnel: NDA-bound, annual security training, principle of least privilege.
10. Breach Notification
The Processor will notify the Controller without undue delay (within 72 hours of becoming aware) of any personal data breach, providing details under Art. 33(3) GDPR.
11. Data Subject Rights
The Processor assists the Controller in fulfilling its obligations to respond to data subject requests, providing tools or manual support within 30 days.
12. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA, either through:
- Review of relevant certifications (ISO 27001, SOC 2, where available).
- Submission of a questionnaire to be answered in writing.
- On-site audit, with 30 days advance notice, at the Controller's expense, no more than once per year (except where required following a breach).
13. Liability
Liability under this DPA is subject to the limitations set out in the Terms of Service. Liability for damages caused by Processor's breach of GDPR obligations is governed by Art. 82 GDPR.
14. Termination
This DPA terminates automatically upon termination of the underlying Terms of Service. The Processor will delete all personal data within 30 days of termination, subject to legal retention requirements (e.g., tax records).
15. Governing Law
This DPA is governed by the laws of the Federal Republic of Germany.
16. Contact
Ahsen Supply GmbH — Data Protection Officer
Steinerne Furt 44, 86167 Augsburg, Germany
Commercial Register: HRB 38440, Amtsgericht Augsburg
Email: dpo@auxfulfillment.de
1. Parteien
Dieser Auftragsverarbeitungsvertrag („AV-Vertrag") ergänzt die AGB zwischen:
- Verantwortlicher: der Kunde (E-Commerce-Händler).
- Auftragsverarbeiter: Ahsen Supply GmbH, Betreiber der AUX Fulfillment-Plattform.
2. Gegenstand und Dauer
Der Auftragsverarbeiter verarbeitet personenbezogene Daten im Auftrag des Verantwortlichen für die Dauer des Service-Abonnements.
3. Art und Zweck der Verarbeitung
- Empfang von Bestelldaten von Marktplätzen via API.
- Erstellung von Versandetiketten via Versanddienstleister-APIs.
- Versand von Statusmeldungen an Endkunden (sofern autorisiert).
- Speicherung für steuerliche Zwecke.
- Betrieb des Storefronts des Verantwortlichen.
4. Art der Daten
- Identitätsdaten: Name, Firma.
- Kontaktdaten: Anschrift, Telefon, E-Mail.
- Bestelldaten: Auftragsnummern, Artikel, Mengen, Preise.
- Marketplace-IDs.
- Technische Metadaten: Zeitstempel, IP-Adressen.
5. Betroffene
- Endkunden auf verbundenen Marktplätzen.
- Besucher des Storefronts.
- Mitarbeiter des Verantwortlichen.
6. Pflichten des Auftragsverarbeiters
- Verarbeitung nur auf dokumentierte Weisung des Verantwortlichen.
- Vertraulichkeitsverpflichtung der Mitarbeiter.
- Technische und organisatorische Maßnahmen gemäß Art. 32 DSGVO (Anlage A).
- Unterstützung bei Betroffenenrechten und Meldepflichten.
- Löschung oder Rückgabe nach Auftragsende.
- Bereitstellung von Nachweisen und Audit-Möglichkeit.
7. Unterauftragsverarbeiter
- Hetzner Online GmbH (Deutschland) — Hosting.
- Amazon Services Europe S.à.r.l. (Luxemburg).
- eBay GmbH, Otto GmbH (Deutschland).
- DHL, Hermes, UPS, FedEx.
- Sentry (EU-Region, PII-Filter).
- E-Mail-Versand (EU-Region).
Änderungen werden mindestens 30 Tage im Voraus angekündigt; Widerspruchsrecht des Verantwortlichen.
8. Internationale Übermittlung
Verarbeitung erfolgt in der EU/EWR. Bei Drittlandübermittlungen gelten Standardvertragsklauseln (SCC, EU-Beschluss 2021/914).
9. Sicherheitsmaßnahmen (Anlage A)
- Verschlüsselung: AES-256 (rest), TLS 1.2+ (transit).
- Zugriffskontrolle: rollenbasiert, MFA, 12-stellige Passwörter, 90-Tage-Rotation.
- Netzwerksicherheit: VPC, Firewall, IP-Whitelist, IDS/IPS.
- Protokollierung: zentralisiert, unveränderlich, 90-Tage-Aufbewahrung.
- Backup: täglich, verschlüsselt, geografisch getrennter EU-Standort.
- Schwachstellenmanagement: quartalsweise Scans, jährliche Pentests.
- Vorfallreaktion: 72-Stunden-Meldepflicht, 24/7 IMPOC.
- Personal: NDA, jährliche Schulung, Least Privilege.
10. Meldung von Verletzungen
Meldung an den Verantwortlichen innerhalb von 72 Stunden nach Kenntnisnahme (Art. 33 DSGVO).
11. Betroffenenrechte
Unterstützung bei der Bearbeitung von Anfragen innerhalb von 30 Tagen.
12. Auditrechte
- Einsichtnahme in Zertifikate (ISO 27001, SOC 2).
- Schriftlicher Fragebogen.
- Vor-Ort-Audit mit 30 Tagen Ankündigung, einmal jährlich (außer nach Vorfall).
13. Haftung
Haftung gemäß AGB; bei DSGVO-Verstößen Art. 82 DSGVO.
14. Kündigung
Endet automatisch mit den AGB. Löschung innerhalb von 30 Tagen (außer gesetzliche Aufbewahrung).
15. Anwendbares Recht
Deutsches Recht.
16. Kontakt
Ahsen Supply GmbH — Datenschutzbeauftragter
E-Mail: dpo@auxfulfillment.de
1. Taraflar
- Veri Sorumlusu: Müşteri (e-ticaret satıcısı).
- Veri İşleyen: Ahsen Supply GmbH, AUX Fulfillment platformu işleticisi.
2. Konu ve Süre
Veri İşleyen, abonelik süresince Veri Sorumlusu adına kişisel veri işler.
3. İşleme Niteliği ve Amacı
- Pazaryerlerinden API ile sipariş verisi alma.
- Kargo etiketi oluşturma.
- Sipariş durumu güncellemelerini gönderme.
- Vergi ve denetim amaçlı saklama.
- Storefront barındırma ve işletme.
4. Veri Türleri
- Kimlik: ad, firma.
- İletişim: adres, telefon, e-posta.
- Sipariş: numara, ürün, miktar, fiyat.
- Marketplace ID'leri.
- Teknik: zaman damgaları, IP adresleri.
5. Veri Sahibi Kategorileri
- Pazaryerlerindeki son alıcılar.
- Storefront ziyaretçileri.
- Veri Sorumlusu çalışanları.
6. Veri İşleyenin Yükümlülükleri
- Sadece Veri Sorumlusu'nun belgeli talimatıyla işleme.
- Çalışanların gizlilik yükümlülüğü.
- GDPR Md. 32 teknik/organizasyonel önlemler (Ek A).
- Veri sahibi haklarına ve ihlal bildirimine destek.
- Hizmet bitiminde silme veya iade.
- Denetim olanağı sağlama.
7. Alt İşleyiciler
- Hetzner Online GmbH (Almanya).
- Amazon, eBay GmbH, Otto GmbH.
- DHL, Hermes, UPS, FedEx.
- Sentry (AB bölgesi).
- E-posta gönderim sağlayıcısı (AB bölgesi).
Değişiklikler 30 gün önceden bildirilir; itiraz hakkı vardır.
8. Uluslararası Aktarım
AB/EEA içinde işlenir. AB dışı aktarımlarda Standart Sözleşme Hükümleri (SCC) uygulanır.
9. Güvenlik Önlemleri (Ek A)
- Şifreleme: AES-256 (rest), TLS 1.2+ (transit).
- Erişim: rol bazlı, MFA, 12 karakter şifre, 90 günde rotasyon.
- Ağ: VPC, firewall, IP whitelist, IDS/IPS.
- Loglama: merkezi, değiştirilemez, 90 gün.
- Yedek: günlük şifreli, ayrı AB konumu, 30 gün döngü.
- Zafiyet yönetimi: 3 aylık tarama, yıllık sızma testi.
- İhlal yanıtı: 72 saat bildirim, 24/7 IMPOC.
- Personel: NDA, yıllık eğitim, en az ayrıcalık.
10. İhlal Bildirimi
İhlal öğrenildikten sonra 72 saat içinde Veri Sorumlusu'na bildirim (GDPR Md. 33).
11. Veri Sahibi Hakları
Veri Sorumlusu'na taleplerin yerine getirilmesinde 30 gün içinde destek.
12. Denetim Hakları
- Sertifika (ISO 27001, SOC 2) inceleme.
- Yazılı anket.
- 30 gün önceden bildirim ile yılda bir yerinde denetim.
13. Sorumluluk
Sorumluluk Kullanım Şartlarındaki sınırlara tabidir. GDPR ihlallerinde Md. 82 uygulanır.
14. Fesih
Kullanım Şartları sona erince otomatik biter. 30 gün içinde veri silinir (yasal saklama hariç).
15. Geçerli Hukuk
Almanya Federal Cumhuriyeti hukuku.
16. İletişim
Ahsen Supply GmbH — Veri Koruma Sorumlusu
E-posta: dpo@auxfulfillment.de