savien
Back to Legal

savien Legal

Data Processing Agreement (DPA)

Data processing agreement pursuant to Art. 28 GDPR.

Public

Last updated: 2026-05-12

This DPA applies between the respective customer as controller and savien (sole proprietorship, Meierberger Str. 14, 31737 Rinteln, Germany) as processor.

This DPA becomes part of the Terms upon contract conclusion (registration, subscription or use of savien) and applies to all customers who process personal data within savien.

1. Subject Matter and Duration

The subject matter of processing is the provision, operation, maintenance, support and security of savien as B2B SaaS.

The duration of processing corresponds to the term of the main agreement. After contract end, personal data will be deleted or returned in accordance with this DPA, statutory obligations and technical backup cycles.

2. Role Allocation

The customer is controller for personal data that it or its users process in savien for their own B2B processes. The customer determines the purposes and means of such processing.

savien processes such customer personal data as processor unless it acts as controller for specific processing.

savien remains controller for its own contract, billing, security, website, support and operational data. These processing activities are described in the Privacy Policy and are not subject to this DPA.

3. Nature and Purpose of Processing

Processing is carried out for:

  • Providing platform functions.
  • Storing and displaying customer data.
  • Authentication and permission checks.
  • Communication between merchants, suppliers and employees.
  • Document and file management.
  • Email and in-app notifications.
  • Billing, support, error analysis, security, backups and misuse prevention.
  • Optional third-party integrations activated by the customer.
  • Export, portability, return and deletion of customer data under the contract, GDPR and, where applicable, the EU Data Act.

4. Categories of Data Subjects

  • Users and employees of the customer.
  • Merchants, suppliers and their contact persons.
  • Invited users and business partners.
  • Support contacts.
  • Other persons whose data the customer enters or uploads to savien.

5. Categories of Personal Data

  • Names, company assignment, roles and permissions.
  • Email addresses, telephone numbers, business addresses.
  • Authentication and session data.
  • Order, delivery, item, catalogue, price, shipment and return data.
  • Comments, documents, files and metadata.
  • Notification and communication data.
  • Integration data such as BillBee credentials and SKU mappings.
  • Usage, security, error and audit data.

Special categories of personal data under Art. 9 GDPR and data under Art. 10 GDPR are not intended. The customer undertakes not to process such data in savien without prior agreement and appropriate safeguards.

6. Customer Instructions

We process personal data only on documented customer instructions unless a legal obligation requires otherwise. Instructions arise from the main agreement, this DPA, settings in the application and documented individual instructions.

Instructions must be issued in text form or through the application. Oral instructions must be confirmed in text form without undue delay.

If we consider an instruction unlawful, we will inform the customer to the extent legally permissible. We may suspend an obviously unlawful instruction until it is confirmed, modified or withdrawn.

7. Confidentiality

We bind all persons with access to personal data to confidentiality unless they are already subject to a statutory confidentiality obligation.

8. Technical and Organisational Measures

We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR. The current description is contained in technische-und-organisatorische-massnahmen.md.

We may further develop TOMs provided the security level is not materially reduced. Material deteriorations will be notified to the customer.

9. Subprocessors

The customer grants general authorisation to use subprocessors. The current list is available in unterauftragsverarbeiter.md and/or at /unterauftragsverarbeiter.

We will inform the customer about new or replaced subprocessors before their use within a reasonable period where practically and legally possible. A 30-day period is intended; shorter periods may be required for security, operational or legal reasons.

The customer may object for important data protection reasons. If an objection cannot be resolved through reasonable alternatives, either party may terminate the affected service or contract.

We conclude agreements with subprocessors that meet Art. 28 GDPR requirements. Subprocessors may use further subprocessors where contractually secured and provided for in their provider structure.

10. Third-Country Transfers

Transfers to third countries occur only where GDPR requirements are met, in particular by:

  • Adequacy decision under Art. 45 GDPR.
  • EU Standard Contractual Clauses under Art. 46 GDPR.
  • Additional safeguards where required.
  • EU-US Data Privacy Framework where applicable and the provider is certified.

Where Standard Contractual Clauses are required, they apply additionally. Mandatory SCC provisions prevail in case of conflict.

11. Customer Assistance

We reasonably assist the customer with:

  • Data subject requests.
  • Deletion, access, rectification and export requests.
  • Security of processing.
  • Reporting and investigating personal data breaches.
  • Data protection impact assessments and prior consultation where the processing by savien is affected.
  • Return, portability and deletion of customer data after contract end.

The customer remains responsible for legal assessment and communication with data subjects or supervisory authorities where it is controller. Assistance beyond standard functions and reasonable cooperation may be separately charged where legally permissible.

12. Personal Data Breaches

If we become aware of a personal data breach affecting customer data, we will inform the customer without undue delay in accordance with Art. 33 GDPR.

The notification will include, where available:

  • Nature of the incident.
  • Affected data and person categories.
  • Approximate number of affected persons and records, where known.
  • Possible consequences.
  • Measures taken or proposed.
  • Contact point for follow-up questions.

We will take reasonable measures to investigate, contain and prevent similar incidents.

13. Return and Deletion

After contract end, we delete or anonymise customer personal data unless statutory retention obligations, legitimate security interests, disputes or backup cycles prevent this. Upon request, we provide an export option before deletion where technically available.

Backups are overwritten or deleted according to the defined backup cycle. Selective deletion of individual data in production-like backups may be technically excluded as long as backup access is restricted and backups are used only for restoration.

14. Evidence and Audits

Upon request, we provide appropriate evidence of compliance with this DPA, such as TOM descriptions, subprocessor information, security documentation or certificates where available.

Audits are possible after prior coordination if required, proportionate and feasible without endangering security, confidentiality or other customers' rights. Document reviews, questionnaires, certificates or remote audits should be used first.

Costs of external or customer-specific audits are borne by the customer where legally permissible and unless otherwise agreed.

15. International Customer Use

If the customer uses savien for persons, companies or data outside Germany or the EU/EEA, the customer remains responsible for additional local privacy, information and transfer obligations to the extent it determines such use.

16. Order of Precedence

In case of conflicts between the main agreement and this DPA, this DPA prevails for data protection matters. Mandatory statutory requirements and applicable EU Standard Contractual Clauses remain unaffected.