Data Processing Agreement (AVV)
Auftragsverarbeitungsvertrag per Art. 28 GDPR / DSGVO — last updated 2026-05-22.
This Data Processing Agreement ("AVV") governs the processing of personal data by Heptic BI GmbH (the "Processor") on behalf of the customer venue (the "Controller") in connection with the analytics services provided under the master Order Form / AGB. By accepting this agreement at signup the Controller appoints the Processor on the terms below.
Subject matter and duration
The Processor processes personal data only on documented instructions from the Controller for the purposes of providing the contracted analytics services. Processing continues for the duration of the master service agreement and ceases upon termination, subject to statutory retention obligations.
Categories of data and subjects
Categories of personal data include: employee identifiers and shift records (where the workforce module is enabled), supplier and contact information embedded in invoice metadata, and the Controller's own account-holders' authentication data. Categories of data subjects include the Controller's staff and the Controller's suppliers' contact persons.
Technical and organisational measures
The Processor maintains the TOMs documented in Annex 1 of the master service agreement, including encryption at rest and in transit, role-based access controls, tenant isolation enforced at the query layer (per the codebase's multi-tenancy invariant), and quarterly access reviews.
Sub-processors
The list of approved sub-processors (cloud infrastructure, email delivery, OCR / extraction) is maintained at /legal/sub-processors and updated with 30 days' notice for additions or replacements.
Audit rights
The Controller may audit the Processor's compliance with this AVV once per calendar year on reasonable notice. The Processor will provide an annual SOC 2 / ISO 27001 attestation when available.
Contact
AVV inquiries: dpo@heptic.de.