← Home

Data Processing Agreement (DPA)

● Last updated: June 5, 2026

Data Processing Agreement pursuant to Art. 28 GDPR between you as the Controller and Blina Space as the Processor. It is effectively accepted upon use of the platform or registration and forms part of the Terms of Service.

Note: This DPA governs the processing of personal data that you, as the customer, upload or have processed when using Blina Space (e.g. documents relating to your own customers, employees or business partners). The processing of your own account and usage data is governed by the Privacy Policy.
Contents
  1. Subject Matter & Roles
  2. Subject Matter, Nature & Purpose
  3. Types of Data & Data Subjects
  4. Binding Instructions
  5. Obligations of the Processor
  6. Technical & Organisational Measures
  7. Sub-processors
  8. Assistance & Data Subject Rights
  9. Notification of Data Breaches
  10. Deletion & Return
  11. Evidence & Audit Rights
  12. Liability & Final Provisions
01

Subject Matter & Roles of the Parties

Controller (Client): the customer who uses the platform and decides on the purpose and means of processing the data that is submitted.

Processor (Contractor):

Albert Milaqi — Arti-IT (sole proprietorship)
Pinner Straße 11, 42579 Heiligenhaus, Germany · VAT ID: DE458209074
[email protected]

The Processor processes personal data exclusively on behalf of and on the instructions of the Controller (Art. 28, 29 GDPR).

02

Subject Matter, Nature and Purpose of Processing

Subject matter: Provision of a SaaS platform for document management, storage, search and optional AI-assisted processing.

Nature of processing: Collection, storage, organisation, indexing, searching, display, transmission (to selected sub-processors), deletion.

Purpose: Performance of the usage contract (Terms of Service) — management of the documents and data submitted by the Controller.

Duration: For the term of the usage contract. After termination, Section 10 (Deletion/Return) applies.

03

Types of Data & Categories of Data Subjects

Categories of personal data (determined by the Controller):

  • Master data (names, addresses, contact details)
  • Document contents and text extracted therefrom (OCR), metadata, tags
  • Communication and message contents (team chat)
  • where applicable, special categories (Art. 9), insofar as submitted by the Controller

Categories of data subjects: customers, clients, employees, suppliers and other business partners of the Controller.

04

Binding Instructions

The Processor processes the data exclusively on documented instructions from the Controller, including the configuration via the platform. Verbal instructions are confirmed without undue delay in writing (text form is sufficient).

If the Processor considers an instruction to be unlawful, it informs the Controller without undue delay (Art. 28(3)(h) GDPR).

05

Obligations of the Processor

  • Confidentiality: persons authorised to process are bound to confidentiality (Art. 28(3)(b), Art. 29).
  • Security: implementation of the measures pursuant to Art. 32 GDPR (Section 6).
  • Sub-processors: engagement only in accordance with Section 7.
  • Assistance: cooperation with data subject rights and security (Section 8, Section 9).
  • Accountability: provision of the required evidence (Section 11).
06

Technical & Organisational Measures (Art. 32)

  • Encryption: TLS/HTTPS during transmission; encrypted backups.
  • Tenant separation: dedicated database per company (database-per-tenant) — strict logical isolation.
  • Access control: role-based permissions, password hashing (bcrypt), two-factor authentication (2FA).
  • Malware protection: antivirus scanning (ClamAV) on every upload.
  • Network/server: firewall and container isolation, SSH-key-only access, automatic security updates.
  • Availability/recoverability: encrypted EU backups, immutable (WORM) off-site backup.
  • Logging: audit logs of security-relevant actions.
For details, see Privacy Policy Section 11. The measures are adapted to the state of the art.
07

Sub-processors

The Controller generally authorises the engagement of the following sub-processors. Each is contractually bound (Art. 28):

  • Hetzner Online GmbH (DE) — hosting, storage, backups (EU). DPA
  • Cloudflare — CDN, tunnel, security. DPA
  • Stripe — payment processing. Privacy
  • Brevo — email delivery (transactional). Terms
  • OpenAI / Anthropic / Googleoptional AI features, only when activated, API mode, no training (EU-US DPF / SCCs).
If a sub-processor is changed or added, we will inform you in advance; the Controller may object on reasoned grounds (Art. 28(2)).
08

Assistance & Data Subject Rights

The Processor assists the Controller with appropriate measures in fulfilling data subject rights (access, rectification, erasure, restriction, data portability, objection — Art. 15–21) as well as data protection impact assessments (Art. 35) and consultations (Art. 36).

If a data subject contacts the Processor directly, the Processor forwards the request to the Controller without undue delay.

09

Notification of Data Breaches

The Processor notifies the Controller of personal data breaches without undue delay after becoming aware of them (Art. 33(2)) and assists with notification obligations towards the supervisory authority (72 hours) and data subjects (Art. 33, 34).

10

Deletion & Return after End of Contract

After termination of the usage contract, the processed data is, at the Controller's choice, deleted or returned, and any existing copies are deleted — within 30 days, unless a statutory retention obligation applies (Art. 28(3)(g)). A data export is available via the platform.

11

Evidence & Audit Rights

The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations under Art. 28 and allows for and contributes to audits — including inspections — conducted by the Controller or an appointed auditor (Art. 28(3)(h)), subject to reasonable prior notice and without disrupting the operations of other tenants.

12

Liability & Final Provisions

The liability rules of Art. 82 GDPR apply. In addition, the liability provisions of the Terms of Service apply. In the event of conflicts between this DPA and the Terms of Service, this DPA prevails with regard to data processing.

German law applies. Amendments require text form. Should any provision be invalid, the validity of the remaining provisions remains unaffected.