Data Processing Agreement (DPA)
in accordance with Article 28 of the EU GDPR
between
Company / Name
Full address
Represented by: Authorized representative
Customer ID: Customer number
(hereinafter referred to as the 'Controller')
and
Evonius, Owner Thomas Hörner
Dr.-Fritz-Ebbert-Str. 16, 94034 Passau
E-Mail: policies@evonius.net
(hereinafter referred to as the 'Processor')
§1 Subject Matter, Nature & Purpose of Processing
The Processor provides services (in particular hosting, e-mail services, server provisioning) for the Controller in accordance with the applicable General Terms and Conditions (GTC).
| Processing Details | Description |
|---|---|
| Nature of Processing | Collection, recording, storage, retrieval, consultation, use, disclosure and deletion of data on the provided servers. |
| Purpose of Processing | Provision of storage space, hosting of websites & e-mail accounts as well as ensuring technical operation. |
| Duration of Processing | Processing takes place for an indefinite period and ends with the termination of the underlying main contract (GTC). |
The contractually agreed data processing takes place exclusively within a Member State of the European Union (EU).
§2 Categories of Data Subjects & Data
Processing includes customers, interested parties, and website visitors of the Controller. Data includes inventory, contact, and usage data.
§3 Obligations of the Processor
- The Processor shall process personal data only on documented instructions from the Controller.
- The Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality.
- The Processor assists the Controller through appropriate technical and organizational measures (TOMs).
- The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.
§4 Technical & Organizational Measures (TOMs)
The Processor shall implement appropriate technical and organizational measures pursuant to Art. 32 GDPR.
| Measure Category | Implementation by Evonius & Subcontractors |
|---|---|
| Physical Access Control | Physical protection of data centers via video surveillance, security personnel, and access control systems (ISO 27001). |
| System Access Control | Securing all access points using strong passwords & Two-Factor Authentication (2FA). |
| Data Access Control | Strict authorization concept (Need-to-Know principle). |
| Separation Control | Logical multi-tenant separation on the systems. |
| Cryptography | Enforcement of SSL/TLS encryption for data transmission. |
| Availability | Redundant power supply and regular system backups. |
§5 Subprocessing
The Processor is authorized to engage other processors. The Controller hereby consents to the engagement of the following subcontractors:
| Name | Location | Service |
|---|---|---|
| Hetzner Online GmbH | Gunzenhausen, Germany | Provision of server infrastructure |
| netcup GmbH | Karlsruhe, Germany | Provision of server infrastructure |
§6 Obligations of the Controller
The Controller is solely responsible for assessing the admissibility of the data processing.
§7 Deletion & Return of Data
Upon completion of the services, the Processor shall delete all data unless required by law to retain it.
§8 Audit Rights of the Controller
The Processor grants the Controller the right to verify compliance with the TOMs (e.g., via ISO 27001 certificates of the data centers).
§9 Liability
The parties shall be liable for damages in accordance with Art. 82 GDPR.
§10 Final Provisions
Should individual provisions be invalid, the validity of the remaining provisions shall remain unaffected. German law applies.
Electronic Signature:
Agreed on: 07.05.2026
Recorded IP Address: 216.73.216.121
Version: v1.0