Login
Why LogiHashScannerAdES VerifierAPIAPI demoDocumentation
Back to Home

Data Processing Addendum (DPA) / AVV Guidance

Structured guidance for a separate data-processing agreement between Trustec Valley UG (haftungsbeschraenkt) and customers.

Effective date: 2026-04-07

Purpose

This document provides a practical structure for DPA negotiations and contractual implementation in LogiHash projects.

1. Parties and roles

  • Customer: controller
  • Trustec Valley UG (haftungsbeschraenkt): processor where applicable

2. Scope and term

  • Processing related to LogiHash service delivery
  • Term generally aligned with the main commercial agreement

3. Nature and purpose of processing

  • Provision of signature and verification functions
  • API operations, document-metadata processing, and audit logging

4. Data categories and data subjects

  • Customer/user data, contact data, and log data
  • Data subjects: employees, customer contacts, and potentially end users

5. TOM annex (technical and organizational measures)

  • Access management and role-based controls
  • Encryption in transit and at rest
  • Key-management procedures
  • Backup and restore controls
  • Monitoring and incident response

6. Subprocessors

  • Telekom Open Cloud (e.g., API Gateway, KMS)
  • Hetzner (hosting / object storage)
  • Additional subprocessors only with contractually defined notice/approval

7. Data-subject rights support

The processor supports the controller with access, rectification, deletion, portability, and legally required notifications.

8. Security incidents

A documented incident-notification process with timelines, channels, and minimum report content should be contractually defined.

9. Audit and evidence clauses

  • Evidence regarding TOM implementation
  • Audit process with confidentiality and proportionality safeguards

10. Data return and deletion

After contract termination, data return or deletion is handled per instruction and applicable legal retention obligations.

11. AI-assisted processing as a security measure

  • Purpose limitation: anomaly detection, fraud prevention, security reporting
  • Documentation of models, input-data categories, and evaluation criteria
  • Human review for critical classifications

12. Reporting and abuse management

  • Define workflows for reports, triage, verification, and escalation
  • Ensure decision logging and traceability

13. Feedback and evaluation data

  • Define which feedback data is treated as personal data
  • Define retention periods and access controls for feedback/survey datasets

14. AdES-specific provisions

  • In the AdES operating model, LogiHash performs identity proofing itself; certificates are obtained from the certificate chain of an appropriate certificate provider.
  • Where AdES features are used, controller/processor role allocation for signature-relevant verification data should be explicitly defined.
  • Retention, integrity evidence, and access controls for signature-relevant logs should be contractually specified.
  • If signing means or key material is suspected to be compromised, accelerated notification, blocking, and rotation obligations should apply.