Data Processing Agreement
1. Subject matter and duration
The processor (Simon Kappelmeir β Dienstleistung, Weiherbachweg 6, 82216 Maisach, Germany, support@horticum.com) provides the "Horticum" software to the controller as a SaaS application and processes personal data exclusively on behalf of the controller pursuant to Art. 28 GDPR. This Data Processing Agreement (DPA) takes effect upon conclusion of the main contract (app usage agreement) and ends automatically with its termination. Processing takes place exclusively within the EU/EEA or in third countries covered by an adequacy decision or appropriate safeguards (Standard Contractual Clauses, SCC).
2. Nature and purpose of the processing
The purpose of processing is the provision of app functionality, in particular: β’ Bed planning, crop planning, task and daily-plan management β’ Time tracking and absence management for employees β’ Plant-protection and fertilisation documentation β’ First-aid log (under German DGUV rules) β’ Contact management (customers, suppliers, contact persons) β’ Label and list printing (Pro+ subscription) β’ Synchronisation between end devices β’ Account and subscription management
3. Types of personal data
β’ Master and communication data (name, address, phone, email) β’ Login/account data (email, password hash, session token, IP addresses) β’ Business master data (tax number, VAT ID, IBAN/BIC) β’ Operational planning and control data β’ Time tracking and absence data β’ Special categories under Art. 9 GDPR: health data of employees in the digital first-aid log (statutory retention 5 years under DGUV Rule 1) β’ Plant-protection application data (operator qualification, applicator names, applications β under Β§ 11 PflSchG, 3 years) β’ Fertilisation data (under DΓΌV)
4. Categories of data subjects
β’ Owner or management of the controller β’ Employees and trainees of the controller β’ Customers, suppliers and contact persons of the controller β’ End customers of the controller (where stored in contact management)
5. Obligations of the processor
The processor undertakes to process personal data exclusively under this agreement and on the documented instructions of the controller (Art. 28 (3)(a) GDPR). All persons involved in processing are bound to confidentiality (Art. 28 (3)(b), Art. 29, Art. 32 (4) GDPR). The processor assists the controller in safeguarding the rights of data subjects (Art. 12β22 GDPR) and in fulfilling the obligations under Art. 32β36 GDPR (data protection impact assessment, prior consultation, notification of personal data breaches). Requests recognisably addressed to the controller are forwarded without undue delay. Data protection contact: Simon Kappelmeir, support@horticum.com. A data protection officer is currently not required by law.
6. Technical and organisational measures (TOMs)
The processor implements all necessary technical and organisational measures under Art. 32 GDPR, in particular: β’ Physical access control: server hosting in a certified data centre in Germany (ISO 27001), physical access control and 24/7 surveillance β’ System access control: email/password authentication, Argon2id/Bcrypt hashes, SSH public-key for admin access, rate limiting, session expiry β’ Data access control: tenant separation per business via Appwrite teams, role-based permission model β’ Transfer control: exclusively TLS 1.2+ (HTTPS), HSTS enabled β’ Input control: audit trail (createdAt, updatedAt) on all relevant records, synchronisation versions allow change tracing β’ Order control: DPA with all sub-processors β’ Availability control: daily backups (14-day retention), monitoring, RTO/RPO < 24 h, firewall, regular security updates β’ Separation control: separate test/development/production environments, tenant separation at the database level β’ Pseudonymisation: internal account IDs instead of plain names in server logs
7. Sub-processors
By concluding this agreement, the controller grants general authorisation for the use of the following sub-processors (Art. 28 (2) GDPR): β’ dogado GmbH (Dortmund, DE) β web/mail hosting, server proxy for VIES validation β’ dogado GmbH or comparable host (DE) β operation of the Appwrite server in Germany β’ Stripe Payments Europe Ltd. (Dublin, IE) β payment processing for Pro/Pro+ subscriptions on web and Android (for US transfers: SCC + Data Privacy Framework) β’ Apple Distribution International Ltd. (Cork, IE) β payment processing iOS/macOS via In-App Purchase β’ fintectura GmbH / openiban.com (Berlin, DE) β IBAN validation β’ European Commission, DG TAXUD (Brussels, BE) β VIES VAT ID check β’ komoot GmbH (Karlsruhe, DE) β Photon geocoding (street autocomplete) β’ zippopotam.us β postcode-to-city lookup The processor notifies the controller in text form at least 30 days in advance of any intended change. The controller may object within 14 days for an important data-protection reason. The processor is liable for compliance with data-protection obligations by sub-processors (Art. 28 (4) GDPR).
8. Data protection impact assessment and prior consultation
The processor supports the controller, within its reasonable means, in carrying out a data protection impact assessment (Art. 35 GDPR) and a prior consultation with the supervisory authority (Art. 36 GDPR), in particular by providing the necessary information on processing operations, TOMs and sub-processors.
9. Notification of personal data breaches
Personal data breaches are reported to the controller without undue delay, at the latest within 48 hours of becoming known, by email to the contact address on file β so that the controller can meet its own 72-hour deadline under Art. 33 GDPR. The notification contains the nature and scope of the breach, the categories of data and the approximate number of data subjects affected, the likely consequences and the measures taken or proposed.
10. Termination of processing
Upon termination of the main contract, the processor deletes all personal data of the controller within 30 days, unless a statutory retention obligation applies. At the controller's request, the data is made available beforehand in a machine-readable format (JSON export). Data subject to statutory retention (first-aid entries: 5 years under DGUV; plant-protection data: 3 years under PflSchG) is kept in blocked form until the retention period expires and is then deleted. Deletion is confirmed in writing on request.
11. Evidence and audit
The controller may verify compliance with this agreement by the processor (Art. 28 (3)(h) GDPR). Verification is primarily carried out by requesting current evidence (data-protection concept, TOMs, sub-processor list, audit reports). On-site inspections are possible once a year during normal business hours, after prior scheduling with at least 4 weeks' lead time. The effort for accompaniment is reimbursed at a previously agreed hourly rate.
12. Final provisions
Amendments and additions to this agreement require text form; this also applies to the cancellation of this clause. If individual provisions are invalid, the validity of the remaining provisions is not affected. The invalid provision shall be replaced by a valid provision that comes closest to the economic purpose. German law applies. Place of jurisdiction is β to the extent legally permissible β Maisach (registered seat of the processor). Liability is governed by Art. 82 GDPR and otherwise by the main contract.