Data Processing Agreement (DPA)
As of 6 July 2026. Agreement on the processing of personal data on behalf of the controller under Art. 28 GDPR, between the customer as controller and the provider as processor. You can request a completed and signed DPA at info@tippel.ai.
Preamble — allocation of roles
The customer uses the KomplAI service (AI-assisted compliance analysis on the EU AI Act, DORA and GDPR, plus document generators) and uploads material (documents, source code) for this purpose. Where such material contains personal data, the provider processes this analysis content on behalf of and on the instructions of the customer; in this respect the customer is the controller and the provider is the processor. This DPA governs only this processing of the analysis content on behalf of the customer.
For the account, usage and billing data arising from operating the account (name, email, credentials, payment and usage events), the provider is itself the controller; that processing is not the subject of this DPA but of the privacy policy.
Parties
Controller (customer): [Name / company, address, represented by] — the “Controller”. The service is addressed exclusively to entrepreneurs within the meaning of § 14 German Civil Code (BGB).
Processor: Tippel — Lukas Friedrich (sole proprietorship), Kampweg 4, 34369 Hofgeismar, Germany, info@tippel.ai, tel. +49 178 5879849 — the “Processor”. No data protection officer has been appointed (a mandatory appointment under Art. 37 GDPR / § 38 BDSG is regularly not applicable); data-protection enquiries to info@tippel.ai.
§ 1 Subject matter, nature and purpose of processing
The subject matter is the processing of personal data contained in the analysis content that the Controller uploads or enters via the KomplAI service, for the purpose of the ordered AI-assisted compliance analysis and document generation (EU AI Act, DORA, GDPR). Nature of processing: collection (receipt of the upload), storage (holding the content and results on the server, assigned to the Controller’s account), transmission to the sub-processors named in § 6 to run the analysis, analysis and provision of the results to the Controller, and deletion. There is no processing for the Processor’s own purposes.
§ 2 Duration
Processing lasts for the duration of the usage relationship (existence of the account and of the ordered analyses). It ends when the usage relationship ends; the consequences for the data are governed by § 10 (deletion or return). Termination of the usage relationship is governed by the terms and conditions (including monthly cancellation of a subscription); this DPA persists for as long as and to the extent that the Processor processes data on behalf of the Controller.
§ 3 Type of data and categories of data subjects (Annex 1)
The type and scope of the personal data contained in the analysis content and the categories of data subjects are determined by the Controller, since it alone decides on the content of the uploaded material. Annex 1 below serves to specify this; it is to be completed or confirmed by the Controller as needed.
| Item | Description |
|---|---|
| Type of personal data | Personal data contained in the material uploaded by the Controller — depending on the material, e.g. names, contact and role data, persons named in contracts/documentation, personal details contained in source code. [to be confirmed / specified as needed by the Controller] |
| Special categories (Art. 9 GDPR) | Should not be uploaded unless a legal basis exists and the Controller specifies them here: [to be completed: none / if any, which] |
| Categories of data subjects | Determined by the Controller, e.g. employees, applicants, customers, suppliers, users, affected third parties. [to be confirmed / specified as needed] |
| Not covered by this DPA | The Controller’s own account, usage and billing data (see preamble — the provider is its own controller for this). |
§ 4 Processing on instructions (Art. 28(3)(a), Art. 29)
The Processor processes the data only on the documented instructions of the Controller — including as regards transfers to a third country or an international organisation; this DPA, its annexes and the use of the service constitute such instructions. There is no processing for the Processor’s own purposes (in particular no advertising or AI-training purposes). Where the Processor is required to process by Union or Member-State law, it informs the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. If the Processor considers that an instruction infringes the GDPR or other Union or Member-State data-protection provisions, it informs the Controller without undue delay (Art. 28(3) sentence 2 GDPR).
§ 5 Confidentiality (Art. 28(3)(b), Art. 29)
The Processor ensures that persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that they process the personal data only on the Controller’s instructions.
§ 6 Technical and organisational measures (Art. 28(3)(c), Art. 32)
The Processor implements the measures described in the annex Technical and organisational measures (TOMs) (Art. 32 GDPR) and keeps them up to date having regard to the state of the art. That annex forms part of this agreement.
§ 7 Sub-processors (Art. 28(2) and (4))
The Controller grants general authorisation to engage the sub-processors named in the annex sub-processor list. Where the Processor intends to engage an additional sub-processor or replace an existing one, it announces this to the Controller in advance. The Controller may object to the intended change on reasonable, data-protection-related grounds within 14 days of receiving the notice (right to object).
The Processor imposes, by way of a contract, substantially the same data-protection obligations on each sub-processor as set out in this agreement, in particular sufficient guarantees to implement appropriate technical and organisational measures (Art. 28(1) and (4) GDPR). Where a sub-processor fails to fulfil its data-protection obligations, the Processor remains fully liable to the Controller for the performance of that sub-processor’s obligations.
§ 8 Assistance with data-subject rights (Art. 28(3)(e))
The Processor assists the Controller, as far as possible, by appropriate technical and organisational measures in fulfilling its obligation to respond to requests for exercising data-subject rights (Art. 15–22 GDPR). Where data subjects contact the Processor directly, it forwards the matter to the Controller without undue delay.
§ 9 Assistance with security and notification (Art. 28(3)(f), Art. 32–36)
The Processor assists the Controller, taking into account the nature of processing and the information available to it, in complying with the obligations under Art. 32 (security of processing), Art. 33 and 34 (notification/communication of personal-data breaches), Art. 35 (data protection impact assessment) and Art. 36 GDPR (prior consultation). It notifies the Controller of any personal-data breach affecting the data processed on behalf of the Controller without undue delay after becoming aware of it (Art. 33(2) GDPR) and makes available the information within its possession that the Controller needs to fulfil its notification and communication obligations.
§ 10 Deletion or return (Art. 28(3)(g))
After the end of the provision of processing services, the Processor, at the Controller’s choice, deletes the data processed on behalf of the Controller or returns it and deletes existing copies within 30 days, unless Union or Member-State law requires further storage. [to be confirmed: specific standard deletion period during ongoing operation]
§ 11 Evidence, controls and audits (Art. 28(3)(h))
The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Processor may require that audits take place with reasonable advance notice, during normal business hours, without disproportionate disruption to operations, and that the auditor be bound to confidentiality. Reference is additionally made to the notification duty regarding an instruction the Processor considers unlawful under § 4 (Art. 28(3) sentence 2 GDPR).
§ 12 Third-country transfers (Chapter V GDPR)
Transfers to a third country take place only on a basis permitted under Chapter V GDPR.
As part of the AI analysis, the analysis content is transmitted to the US sub-processors
OpenRouter Inc. (API gateway) and the model provider used (currently Anthropic). The basis
is the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). As a
supplementary measure, provider routing “no retention, no training”
(data_collection: deny) is used. Whether a sub-processor is additionally
certified under the EU-US Data Privacy Framework is to be checked separately [to be checked
whether the provider is certified]. The sub-processors used, places of processing and
transfer bases are set out in the sub-processor list, which
forms part of this agreement.
§ 13 Liability (Art. 82 GDPR)
Liability towards data subjects is governed by Art. 82 GDPR. As between the parties, each party is liable for damage caused by processing attributable to it that infringes the GDPR or this agreement. The Processor is liable for damage only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to the lawful instructions of the Controller (Art. 82(2) sentence 2 GDPR). Otherwise the liability provisions of the terms and conditions and §§ 280 et seq. BGB apply; liability towards data subjects under Art. 82 GDPR remains unaffected.
§ 14 Competent supervisory authority
The supervisory authority competent for the Processor is the Hessian Commissioner for Data Protection and Freedom of Information (HBDI), Wiesbaden. The authority competent for the Controller depends on the Controller’s establishment.
§ 15 Term and final provisions
This DPA applies for as long as and to the extent that the Processor processes personal data on behalf of the Controller; it ends upon completion of deletion or return under § 10. German law applies, excluding the UN Convention on Contracts for the International Sale of Goods. Amendments and additions require text form. Should individual provisions be or become invalid, the remainder of the agreement remains effective. In the event of conflict, this DPA prevails over the terms and conditions for the area of processing on behalf. Annexes to this agreement are: the TOMs description, the sub-processor list and Annex 1 above (§ 3).
The German version is authoritative.