Skip to content
Vertimas

Legal

Data Processing Agreement

Auftragsverarbeitungsvertrag (AVV) under Art. 28 GDPR — overview

Last updated: 4 June 2026

Where Dixit Algorismi UG (haftungsbeschränkt) (“Vertimas”, “Processor”) processes personal data on behalf of a business customer (“Controller”) through the Vertimas service, the parties enter into this Data Processing Agreement (DPA / AVV) under Art. 28 GDPR. This page summarises the DPA; the binding version is made available for signature before processing begins.

1. Subject-matter and scope

The Processor processes personal data only to provide the service: capture, transcription, summarisation, semantic search, agents and related features. The nature, purpose, duration, the types of personal data and categories of data subjects are specified in the DPA and its annexes.

2. Processor obligations (Art. 28(3))

  • process personal data only on the Controller’s documented instructions, including for transfers;
  • ensure persons authorised to process the data are bound by confidentiality;
  • implement appropriate technical and organisational measures (Art. 32);
  • respect the conditions for engaging sub-processors (Art. 28(2) and (4));
  • assist the Controller with data-subject requests;
  • assist with security, breach notification, DPIAs and prior consultation (Art. 32–36);
  • delete or return all personal data at the end of the service;
  • make available the information needed to demonstrate compliance and allow for audits.

3. Sub-processors

The Controller grants general authorisation for the Processor to engage the sub-processors listed at /legal/subprocessors. The Processor will give advance notice of any intended addition or replacement and a reasonable period to object before the new sub-processor begins processing. The Processor remains fully liable for its sub-processors and flows down equivalent data-protection obligations to each.

4. International transfers

Personal data is processed primarily within the EU (AWS eu-west-1). Where a sub-processor processes data in the United States, transfers are based on the EU-US Data Privacy Framework (for certified recipients) or the 2021 EU Standard Contractual Clauses (Modules 2 and 3) with a transfer impact assessment and supplementary measures as appropriate. Per-vendor mechanisms are listed on the sub-processor page.

5. Technical and organisational measures (TOMs)

The Processor maintains TOMs appropriate to the risk (Art. 32), including encryption in transit and at rest, access controls, logging, and tested deletion. The current TOMs are made available as an annex to the signed DPA on request.

6. How to put the DPA in place

Request and sign the DPA before first processing by contacting info@vertimas.io. Text form (§ 126b BGB) is sufficient; a qualified electronic signature is not required.