Data Processing Agreement (DPA)

Effective date: 3 May 2026 Version: 1.0

What this document must contain

  • Identification of the parties (Controller and Processor)
  • Subject matter, duration, nature and purpose of the processing
  • Types of personal data and categories of data subjects
  • Processor obligations under Article 28(3) GDPR
  • List of sub-processors and the procedure for changing them
  • Technical and organisational measures (TOMs)
  • Client's audit rights
  • Procedure in the event of a personal data breach (breach notification)
  • International data transfers (SCCs for non-EU)
  • Return / deletion of data after termination
  • Term and termination
  • Governing law

1. Contracting parties

Controller (hereinafter the "Client"):

  • Business name: [CLIENT]
  • Company ID (IČO) / VAT ID (DIČ): [CLIENT IČO/DIČ]
  • Registered office: [CLIENT REGISTERED OFFICE]
  • Represented by: [CLIENT EXECUTIVE DIRECTOR]

Processor (hereinafter "Avanterro"):

  • AVANTERRO SYSTEMS s.r.o.
  • Company ID (IČO): 24568082
  • Registered office: Příčná 1892/4, Nové Město, 110 00 Prague 1, Czech Republic
  • Registered in the Commercial Register kept by the Municipal Court in Prague, Section C, Insert 442318
  • Represented by executive directors registered in the Commercial Register
  • Contact: info@avanterro.com

(The Client and Avanterro are hereinafter jointly referred to as the "Parties".)

Form of conclusion. This Data Processing Agreement (hereinafter the "DPA") forms an integral part of the Terms and Conditions and the Service contract. By accepting the Terms during registration, the Client simultaneously enters into this DPA. If the Client requires a separately signed DPA, we will provide a counterpart for signature upon request.

2. Subject matter and purpose of processing

2.1 The subject matter of this DPA is the processing of personal data by Avanterro on behalf of the Client to the extent necessary for the proper provision of the Avanterro Service (a cloud-based information system for the management of service businesses).

2.2 Nature of processing: storage, organisation, structuring, making available, retrieval, use in normal Service operation, backup, deletion.

2.3 Purpose of processing: to enable the Client to maintain records of its customers, bookings, invoices, work orders, photo documentation and similar business records within the Service.

2.4 Duration of processing: for the duration of the Subscription and a further 60 days after its termination (the so-called export window), and for any additional period necessary to comply with Avanterro's statutory obligations.

2.5 This DPA complies with Article 28 of Regulation (EU) 2016/679 (GDPR) and with Act No. 110/2019 Coll. on Personal Data Processing.

3. Roles of the Parties and scope of instructions

3.1 In relation to the personal data that the Client uploads into the Service, the Client is the controller. Avanterro is the processor.

3.2 Avanterro processes personal data solely on the documented instructions of the Client, unless required to do so by EU or Member State law (Article 28(3)(a) GDPR). If Avanterro is subject to such an obligation, it shall inform the Client thereof in advance, unless that law prohibits such information.

3.3 The Client's instructions are specified in particular by:

  • the Client's configuration of the Service (user roles, retention settings),
  • API and webhook configuration,
  • additional instructions sent by e-mail to info@avanterro.com.

3.4 If Avanterro considers that any of the Client's instructions infringes the GDPR or other data protection legislation, it shall inform the Client in writing without delay and may refuse to carry out such an instruction.

4. Categories of personal data and data subjects

4.1 Categories of data subjects

  • end customers of the Client (natural persons) – records in the application,
  • the Client's employees and collaborators – Users of the Service,
  • the Client's suppliers whose data the Client maintains,
  • other natural persons whose data the Client uploads into the Service.

4.2 Categories of personal data

  • identification data: first name, surname, title, Company ID (IČO)/VAT ID (DIČ),
  • contact details: address, e-mail, telephone,
  • data on the relationship with the Client: order, payment and booking history, notes,
  • financial data: payment amounts, invoice numbers, IBAN (where the Client fills it in),
  • attachments and photographs: documentation of work orders, vehicles, premises (may contain information about the condition of property, licence plates, etc.),
  • audit logs: who performed what action and when,
  • to the extent the Client uploads them into the Service, any other data (Avanterro does not recommend that the Client upload special categories of data within the meaning of Article 9 GDPR).

4.3 Special categories of data

The Service is not intended for the processing of special categories of personal data (Article 9 GDPR – health data, biometrics, sexual orientation, etc.) or criminal-conviction data (Article 10 GDPR). If the Client nevertheless uploads such data into the Service, the Client does so at its own responsibility and must have an appropriate legal basis for it.

5. Avanterro's obligations (Article 28(3) GDPR)

Avanterro undertakes that it shall:

a) process personal data only on documented instructions of the Client in accordance with section 3 of this DPA;

b) ensure that persons authorised to process the personal data are bound by an obligation of confidentiality (whether contractual or statutory);

c) implement technical and organisational measures in accordance with Article 32 GDPR (see Annex A below);

d) engage another processor (sub-processor) only under the conditions set out in section 6 of this DPA;

e) assist the Client by appropriate measures in fulfilling the Client's obligation to respond to data subject requests (Articles 12–22 GDPR), under reasonable technical and organisational conditions;

f) assist the Client in complying with its obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation with the ÚOOÚ);

g) at the end of the provision of the Service, return or delete all personal data at the Client's choice (section 9 of this DPA);

h) make available to the Client all information necessary to demonstrate compliance with the obligations under Article 28 GDPR and allow for audits in accordance with section 7 of this DPA.

6. Sub-processors

6.1 Authorisation to use sub-processors

The Client grants Avanterro a general authorisation to engage other processors (sub-processors), subject to the condition that Avanterro contractually imposes on each of them the same obligations as those it has under this DPA.

6.2 Current list of sub-processors

Sub-processorLocationPurposeTransfer safeguard
Hetzner Online GmbHNuremberg, Germany (EU)Hosting of application servers and databasesNot required (EU/EEA)
Paddle.com Market LimitedDublin, Ireland (EU)Payment processing (Merchant of Record)Not required (EU/EEA)
Make.com (Celonis SE / Integromat s.r.o.)Prague, Czech Republic (EU)Webhook automationNot required (EU/EEA)
Functional Software, Inc. (Sentry.io)San Francisco, California, USAError monitoring (technical error reports)Standard Contractual Clauses (SCCs), Processor-to-Processor module; supplementary measures (PII filtering)
Amazon Web Services EMEA SARL (S3) or Backblaze, Inc. (B2)Frankfurt am Main, DE / USA depending on choiceObject storage – attachments, photographsEU region by default; for the US region SCCs, Processor-to-Processor module
Google LLC (Gemini API)Mountain View, California, USAMachine translation of UI strings (anonymised strings, do not contain personal data)SCCs; no personal data of data subjects is transmitted to the API
SMTP relay providerEU / USA depending on choiceSending of transactional e-mails (name, e-mail address, subject, content)SCCs for non-EU sub-processors, Processor-to-Processor module

The current list is always available at https://avanterro.com/en/subprocessors.

6.3 Changes to the list of sub-processors

Avanterro shall inform the Client of the addition or replacement of a sub-processor at least 30 days in advance, by e-mail or by an in-app notice. The Client has the right to raise a reasoned objection to such a change by sending it to info@avanterro.com before the change takes effect.

If the objection cannot be resolved, the Client has the right to terminate the Service contract on this ground with effect as of the date the change takes effect; until then, Avanterro shall not engage the new sub-processor, unless there is no other reasonable technical solution (in which case Avanterro shall inform the Client in advance and provide a reasonable period for migration).

7. Audit

7.1 The Client is entitled to verify Avanterro's compliance with the obligations under this DPA at most once a year, in the following scope:

  • as a standard, by means of a written questionnaire, to which Avanterro shall respond within 30 days; the response may include copies of current certificates, results of penetration tests and descriptions of the TOMs;
  • through an independent third party bound by confidentiality, where the Client demonstrates a legitimate reason (e.g. a regulatory requirement);
  • on-site audits are available only to Clients on the ENTERPRISE plan, on the basis of a prior written agreement, with at least 30 days' notice, carried out during normal business hours so as not to disrupt the operation of the Service.

7.2 An extraordinary audit is also possible beyond the annual frequency where there is a serious reason to do so (in particular following a significant incident or at the express request of the supervisory authority).

7.3 The costs of a standard questionnaire audit are borne by Avanterro. The costs of an on-site audit and of an audit by a third party are borne by the Client, unless the audit demonstrates a material breach of Avanterro's obligations – in which case the costs are borne by Avanterro.

8. Personal data breach (breach notification)

8.1 Avanterro undertakes, without undue delay and no later than within 72 hours of becoming aware of a personal data breach, to notify the Client of such breach by e-mail at the primary contact address indicated in the Client's account.

8.2 To the extent possible at the time, the notification shall contain:

  • a description of the nature of the breach (categories and number of data subjects affected, categories and number of records affected),
  • the name and contact details of the person from whom further information can be obtained,
  • a description of the likely consequences of the breach,
  • a description of the measures taken or proposed to address the breach and to mitigate its possible adverse effects.

8.3 The Client is responsible for fulfilling its own notification obligation towards the ÚOOÚ (Article 33 GDPR) and towards the data subjects (Article 34 GDPR). Avanterro shall provide the Client with reasonable cooperation.

8.4 This section does not apply to intrusion attempts that have been successfully repelled and that have not resulted in a compromise of the confidentiality, integrity or availability of personal data.

9. Termination and return / deletion of data

9.1 Upon termination of the provision of the Service for any reason, Avanterro shall provide the Client with a 60-day export window, during which the Client may download the personal data in a common machine-readable format (in particular JSON or CSV) by means of the Service's standard export function or upon request.

9.2 After the export window expires, Avanterro shall permanently delete all personal data, including copies, unless further retention is required by EU or Member State law (e.g. retention of accounting and tax documents). In such a case, Avanterro shall further process such data solely to comply with the legal obligation and shall protect it with appropriate TOMs.

9.3 Backups. Personal data contained in backup copies are deleted in accordance with the backup rotation schedule – at the latest within 35 days of deletion from the live database. During this period, the backups are isolated, used only for recovery purposes, and encrypted.

9.4 Upon the Client's request, Avanterro shall confirm in writing that deletion has been carried out.

10. International transfers

10.1 If the processing involves the transfer of personal data to a third country or an international organisation, Avanterro shall ensure such transfer through one of the instruments listed in Chapter V of the GDPR – primarily by means of Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision (EU) 2021/914), in the relevant module (Controller-to-Processor or Processor-to-Processor).

10.2 Where necessary, Avanterro supplements the SCCs with technical and organisational measures (encryption at rest and in transit, pseudonymisation, restriction of provider personnel access, transparency reporting).

10.3 Avanterro shall provide a current copy of the relevant SCCs to the Client upon request.

11. Term and termination

11.1 This DPA enters into force upon conclusion of the Service contract (acceptance of the Terms) and terminates together with the termination of that contract.

11.2 Provisions of this DPA whose nature is to survive the termination of the contract (in particular obligations to return/delete data, confidentiality and liability) shall remain in force after its termination to the extent necessary to fulfil their purpose.

12. Liability and sanctions

12.1 The Parties shall be liable for damage caused by breach of obligations under the GDPR and this DPA in accordance with Article 82 GDPR.

12.2 The limitation of liability agreed in the Terms shall apply mutatis mutandis to claims arising from this DPA, with the exception of cases of intent, gross negligence and breaches of obligations on which a limitation of liability cannot be relied on under Section 2898 of the Civil Code. This is without prejudice to the powers of supervisory authorities and to data subjects' claims arising directly under Article 82 GDPR.

13. Final provisions

13.1 This DPA is governed by the laws of the Czech Republic and by the GDPR.

13.2 In the event of any conflict between the Terms and this DPA, this DPA shall prevail in matters concerning the processing of personal data.

13.3 Should any provision of this DPA become invalid or ineffective, this shall not affect the validity of the remaining provisions; in such a case, the Parties shall replace the invalid provision with one that most closely approximates its purpose.

13.4 This DPA is drawn up in the Czech language version, which is the binding version. The English version is provided solely for the Client's convenience.

Annex A – Technical and Organisational Measures (TOMs)

Taking into account the nature, scope and purpose of the processing, Avanterro applies in particular the following measures:

A.1 Encryption

  • Encryption in transit: TLS 1.2+ on all endpoints (web, API, e-mail), HSTS, automatic HTTP→HTTPS redirect, modern cipher suites (AEAD).
  • Encryption at rest: AES-256 at the level of database storage and object storage (Hetzner / AWS S3 / Backblaze B2). User passwords are stored exclusively as a bcrypt hash with an appropriate cost factor.

A.2 Access control

  • Principle of least privilege at the level of application roles and infrastructure.
  • Multi-factor authentication (MFA) mandatory for Avanterro administrators with access to production infrastructure.
  • Multi-tenant isolation – data of individual Clients is logically separated at the row level (tenantId scope) and enforced at both the application and Prisma query level.
  • Audit log – record of access by Avanterro administrators to a specific Client's data; access only for the purpose of resolving a support ticket or an incident.

A.3 Backup and recovery

  • Regular backups of databases with a retention period of 35 days, encrypted with AES-256.
  • Geographically separated backup storage from the primary data.
  • Periodic recovery tests (restore drills).

A.4 Secure development (Secure SDLC)

  • Code review of all changes before deployment to production.
  • Static security analysis (SAST) in CI/CD: linting, type-check, BOLA test, npm audit, Snyk scanning (Monday + Thursday).
  • Dependency management – regular updates of libraries and CVE monitoring.
  • Separated environments for development / staging / production.

A.5 Operations and monitoring

  • 24/7 monitoring of availability and security incidents; error monitoring (Sentry) with anonymisation.
  • Incident Response Plan with defined roles, escalation paths and communication channels.
  • Patch management – critical security patches are deployed within 7 days of release; other patches are applied as part of regular cycles.

A.6 Human factors

  • Confidentiality – all employees and external collaborators with access to personal data are bound by confidentiality.
  • Security training – regular basic data protection training.
  • Background checks to the extent permitted by Czech law for roles with privileged access.

A.7 Physical security

  • Data centres of the sub-processor Hetzner Online GmbH in Germany, certified to ISO/IEC 27001, with controlled physical access, biometric readers and redundant power and cooling.

A.8 Continuity

  • RPO (Recovery Point Objective): max. 24 hours (daily backups) for the standard regime; for the ENTERPRISE plan, a better RPO can be agreed individually.
  • RTO (Recovery Time Objective): max. 24 hours for full restore.

This document takes effect on 3 May 2026. Version 1.0.