Eigentum²
v130 March 2026

Data Processing Agreement

Version 1.0

This Data Processing Agreement ("DPA") is entered into between:

The Customer (hereinafter "Controller") — the natural or legal person who has registered for and uses the Eigentum² platform, and

Ilya Baskakov (Operating as: Eigentum²) Von-Müller-Straße 15a 82467 Garmisch-Partenkirchen, Germany Email: support@dein-eigentum.de

(hereinafter "Processor")

This DPA supplements the Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller in connection with the use of the Eigentum² platform, in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

§ 1 Subject Matter and Duration

  1. The Processor processes personal data on behalf of the Controller in connection with the provision of the Eigentum² property management platform as described in the Terms of Service.

  2. The duration of this DPA corresponds to the duration of the underlying service agreement (Terms of Service). This DPA automatically terminates upon termination of the service agreement, subject to the data deletion and return obligations in § 12.

§ 2 Nature and Purpose of Processing

The Processor processes personal data for the following purposes:

  • Storage and management of tenant and contact data entered by the Controller
  • Processing of rent payments, security deposits, and financial transaction records
  • Management of lease contracts and associated documentation
  • Storage and organisation of property-related documents and files
  • Facilitating property information sharing with third parties designated by the Controller
  • Facilitating ownership transfer workflows
  • Generating AI-powered property valuations based on property data
  • Sending transactional emails on behalf of the Controller (e.g., property share notifications, transfer invitations)

The Processor does not process personal data for its own purposes.

§ 3 Types of Personal Data

The following types of personal data are processed:

  • Identification data: First name, last name, salutation, date of birth, nationality
  • Contact data: Email address, phone number, mobile number, fax number, postal address
  • Financial data: IBAN, BIC, bank name, payment amounts, rent amounts, security deposit amounts, transaction records
  • Contractual data: Lease contract details (start/end dates, rent model, notice period, special terms), contract numbers
  • Property-related data: Property addresses, unit details, area measurements
  • Communication data: Notes, correspondence records, share messages
  • Document data: Uploaded documents and files (filenames, metadata)
  • Emergency contact data: Name, relationship, phone number of designated emergency contacts
  • Identity verification data: Verification status and timestamps

§ 4 Categories of Data Subjects

The personal data processed concerns the following categories of data subjects:

  • Tenants (Mieter) — current tenants of properties managed by the Controller
  • Prospective tenants (Mietinteressenten) — individuals considered for tenancy
  • Guarantors (Bürgen) — persons providing guarantees for tenants
  • Co-tenants and occupants — additional persons listed on lease contracts
  • Emergency contacts — persons designated as emergency contacts by tenants
  • Property managers and service providers — third-party contacts managing properties
  • Ownership transfer participants — buyers, sellers, notaries, agents involved in property transfers

§ 5 Controller's Instructions

  1. The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.

  2. The Controller's instructions are initially defined by this DPA, the Terms of Service, and the functionality of the Eigentum² platform. The Controller may issue additional instructions in Text Form (§ 126b BGB) via email to support@dein-eigentum.de.

  3. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other European Union or Member State data protection provisions.

§ 6 Processor's Obligations

The Processor shall:

  1. Process personal data only within the European Economic Area (EEA), unless otherwise agreed or required for the engagement of approved sub-processors (see § 8).

  2. Ensure that processing is carried out in accordance with the GDPR, the BDSG, and all other applicable data protection laws.

  3. Appoint a Data Protection Officer if required by law. As of the date of this DPA, the conditions under § 38 BDSG are not met (fewer than 20 persons regularly engaged in automated processing of personal data).

  4. Not use the personal data for any purpose other than performing the services described in this DPA and the Terms of Service.

§ 7 Confidentiality

  1. The Processor shall ensure that all persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  2. This confidentiality obligation shall survive the termination of this DPA.

§ 8 Sub-Processors

  1. The Controller grants the Processor general written authorisation to engage sub-processors for the processing of personal data, subject to the conditions in this section.

  2. The current list of approved sub-processors is set out in Annex 2 of this DPA and is also available at https://dein-eigentum.de/legal/subprocessors.

  3. The Processor shall inform the Controller of any intended addition or replacement of sub-processors at least 30 days before the change takes effect, giving the Controller the opportunity to object to such changes.

  4. If the Controller objects to a new sub-processor on reasonable data protection grounds, the parties shall discuss the objection in good faith. If the objection cannot be resolved, the Controller may terminate the service agreement without penalty as of the date the sub-processor change was intended to take effect.

  5. The Processor shall impose on each sub-processor, by way of a contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

  6. Where a sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.

  7. For sub-processors located outside the EEA, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR (e.g., adequacy decision, Standard Contractual Clauses, or EU-US Data Privacy Framework certification).

§ 9 Data Subject Rights

  1. The Processor shall assist the Controller, by appropriate technical and organisational measures and taking into account the nature of the processing, in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III of the GDPR (Articles 15-22), including:

    • Right of access (Article 15)
    • Right to rectification (Article 16)
    • Right to erasure (Article 17)
    • Right to restriction of processing (Article 18)
    • Right to data portability (Article 20)
    • Right to object (Article 21)

  2. If a data subject contacts the Processor directly with a request, the Processor shall promptly forward the request to the Controller and shall not respond to the data subject directly unless instructed by the Controller.

§ 10 Data Breach Notification

  1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach.

  2. The notification shall include, to the extent possible:

    • A description of the nature of the breach, including the categories and approximate number of data subjects and personal data records concerned
    • The name and contact details of the Processor's contact point for further information
    • A description of the likely consequences of the breach
    • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

  3. The Processor shall assist the Controller in fulfilling its obligations under Articles 33 and 34 of the GDPR (notification to supervisory authority and communication to data subjects).

§ 11 Audit Rights

  1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.

  2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller shall provide at least 14 days written notice prior to any audit.

  3. Audits shall be limited to one audit per calendar year, unless a data breach or other specific incident requires additional audits. Audits shall generally be limited to one business day and shall be conducted during regular business hours.

  4. The Controller shall bear the costs of audits it initiates, unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall bear the costs.

  5. The Processor may demonstrate compliance through submission of relevant certifications (e.g., SOC 2 Type II reports, ISO 27001 certificates) from its hosting providers or through the results of independent third-party audits, provided these are current and comprehensive.

§ 12 Data Deletion and Return

  1. Upon termination of the service agreement, the Processor shall, at the Controller's choice:

    • Return all personal data to the Controller in a structured, commonly used, and machine-readable format, or
    • Delete all personal data and all existing copies

  2. The Controller may export their data for 30 days after the effective date of termination. After this period, the Processor shall delete all remaining personal data.

  3. Data subject to statutory retention obligations (e.g., financial records under § 147 AO, commercial correspondence under § 257 HGB) shall be retained for the legally required period and then deleted. During this period, the data shall be restricted from processing and used only for the purpose of complying with retention obligations.

  4. The Processor shall confirm the completion of data deletion upon the Controller's request.

§ 13 Assistance with Compliance Obligations

The Processor shall assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the processing and the information available to the Processor:

  • Security of processing (Article 32 GDPR)
  • Notification of personal data breaches to supervisory authorities (Article 33 GDPR)
  • Communication of personal data breaches to data subjects (Article 34 GDPR)
  • Data protection impact assessments (Article 35 GDPR)
  • Prior consultation with supervisory authorities (Article 36 GDPR)

§ 14 Liability

The liability of the parties under this DPA is governed by Article 82 of the GDPR and the liability provisions of the Terms of Service. Each party is liable for damages caused by processing that infringes the GDPR, in accordance with its respective role as Controller or Processor.

§ 15 Final Provisions

  1. This DPA is governed by the laws of the Federal Republic of Germany, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).

  2. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

  3. Amendments and supplements to this DPA must be made in Text Form (§ 126b BGB).

  4. If any provision of this DPA is or becomes invalid, the remaining provisions shall remain in force. The invalid provision shall be replaced by a valid provision that most closely reflects the original intent.

Annex 1: Technical and Organisational Measures

The Processor implements the following measures pursuant to Article 32 GDPR:

I. Confidentiality

Access Control (Zugangskontrolle):

  • Authentication via secure password hashing (bcrypt)
  • Optional Google OAuth for single sign-on
  • Session management with secure, HttpOnly cookies
  • Automatic session expiration after inactivity

Data Access Control (Zugriffskontrolle):

  • Role-based access control (RBAC) with granular permissions
  • Organisation-scoped data isolation (multi-tenancy)
  • Principle of least privilege for all user roles

User Control (Benutzerkontrolle):

  • Unique user accounts with email verification
  • Account lockout after repeated failed login attempts
  • Administrative user impersonation with full audit trail

Separation Control (Trennbarkeit):

  • Logical data separation between organisations
  • Separate database schemas for distinct data domains

II. Integrity

Transfer Control (Übertragungskontrolle):

  • All data transmitted via TLS 1.2 or higher
  • Secure API endpoints with authentication tokens

Input Control (Eingabekontrolle):

  • Comprehensive audit logging of all data-modifying operations
  • Change tracking with before/after values, user attribution, timestamps, IP addresses, and user agents

III. Availability and Resilience

Availability Control (Verfügbarkeitskontrolle):

  • Hosting on Vercel EU (Frankfurt) region (SOC 2 Type II, ISO 27001 certified infrastructure)
  • Database hosted on Neon EU (Frankfurt) region (managed PostgreSQL with automatic backups)
  • File storage on Google Cloud Storage (geo-redundant)

Recoverability (Wiederherstellbarkeit):

  • Automated database backups with point-in-time recovery
  • Infrastructure-as-code for rapid environment recovery
  • 30-day data retention for soft-deleted records

IV. Regular Review

Processor Control (Auftragskontrolle):

  • Data processing governed by this DPA
  • Regular review of sub-processor compliance
  • Incident response procedures documented and maintained

Annex 2: Approved Sub-Processors

Sub-ProcessorLocationProcessing PurposeTransfer Mechanism
Vercel Inc.EU (Frankfurt)Hosting, content delivery, serverless computeEU processing; no third-country transfer
Google Cloud Platform (Google LLC)EU (Frankfurt) / USAFile and document storage (Firebase Cloud Storage)EU-US Data Privacy Framework; Standard Contractual Clauses
Neon Inc.EU (Frankfurt)Managed PostgreSQL database hostingEU processing; no third-country transfer
Stripe, Inc.USA / IrelandSubscription billing and payment processingEU-US Data Privacy Framework; Stripe Ireland as EU establishment
Mailjet SAS (Sinch Group)France / EUTransactional email deliveryEU processing; no third-country transfer
OpenAI, Inc.USAAI-powered property valuation (per API request; not used for model training)EU-US Data Privacy Framework; Standard Contractual Clauses
Google Ireland Ltd.Ireland / USAOAuth authentication (Google Sign-In)EU-US Data Privacy Framework

Changes to this list will be notified to the Controller at least 30 days before the change takes effect. The current version is available at https://dein-eigentum.de/legal/subprocessors.

The effective date of this version is displayed above this document.