Fines up to €20,000,000 or 4% of global turnover

Legal

Data Processing Agreement

Under Article 28 GDPR · Effective 24 May 2026 · Version v1.1

This Data Processing Agreement (the DPA) is concluded between the Customer (the Controller) and Revis-1 LLC, trading as Usantis (the Processor), collectively referred to as the Parties. It governs the processing of personal data by the Processor on behalf of the Controller in the context of the EU representative service (the Service) and forms an integral part of the Terms of Service.

1. Subject matter and duration

1.1 Subject matter: the processing of personal data by the Processor on behalf of the Controller, necessary to provide the Service, including but not limited to acting as the Controller’s EU representative under Article 27 GDPR.

1.2 Duration: this DPA enters into force upon acceptance and remains in force for the duration of the underlying Terms of Service, plus a 30-day handover period after termination.

2. Nature and purpose of the processing

Nature: storing, organising, retrieving, transmitting, consulting and erasing personal data. Purpose: receiving and forwarding data subject and supervisory authority communications, maintaining the records of processing activities, providing the Service Dashboard, identity and sanctions screening, billing, and customer support.

3. Types of personal data and categories of data subjects

Types of personal data

  • Identification data of authorised representatives of the Controller (name, role, email, phone)
  • Business data of the Controller (company name, registered address, VAT-ID, tax IDs)
  • Identity verification data collected during onboarding (e.g. ID document, selfie, sanctions screening result)
  • Data subject request content (free-text submissions by EU data subjects, identification data, correspondence)
  • Authority correspondence content (letters, decisions and inquiries from supervisory authorities)
  • Audit-log metadata (IP address, user-agent, timestamps of administrative actions)

Categories of data subjects

  • Authorised representatives, employees and contractors of the Controller
  • EU data subjects who address communications to the Controller via the Service
  • Representatives of supervisory authorities

4. Obligations of the Processor

4.1 The Processor processes personal data only on documented instructions of the Controller, including in respect of transfers of personal data to a third country or international organisation, unless required to do so by Union or Member State law.

4.2 The Processor ensures that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality.

4.3 The Processor implements the technical and organisational measures set out in Annex 1.

4.4 The Processor respects the conditions for engaging sub-processors set out in Section 7.

4.5 Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests for exercising data subject rights.

4.6 The Processor assists the Controller in ensuring compliance with the obligations under Articles 32 to 36 GDPR.

4.7 At the choice of the Controller, the Processor deletes or returns all personal data after the end of the provision of services, subject to statutory retention.

4.8 The Processor makes available to the Controller all information necessary to demonstrate compliance and allows for and contributes to audits in accordance with Section 10.

5. Obligations of the Controller

5.1 The Controller warrants that the processing of personal data on the basis of this DPA is lawful.

5.2 The Controller is responsible for accurate information about its processing activities and for clear, lawful and unambiguous instructions.

6. Data subject rights

Where the Processor receives a request from a data subject directly, the Processor will, without undue delay, forward the request to the Controller and not respond on its own initiative unless instructed by the Controller or required to confirm receipt.

7. Sub-processors

7.1 The Controller grants general authorisation for the engagement of sub-processors. A current list of sub-processors is set out in Annex 2 below.

7.2 Notice period. The Processor will notify the Controller in writing (email is sufficient) of any intended addition or replacement of sub-processors at least thirty (30) days before the change. Where the new sub-processor is located outside the EU/EEA, the Controller may object immediately upon notification and may, on reasonable grounds, terminate the affected subscription with effect from the date the engagement would take effect. For sub-processors within the EU/EEA, the Controller may object within the 30-day notice period on reasonable grounds; objections that cannot reasonably be accommodated may result in termination of the affected service.

7.3 The Processor concludes written agreements with each sub-processor imposing data protection obligations equivalent to those in this DPA. The Processor remains fully liable to the Controller for the performance of the sub-processor’s obligations.

8. International transfers

8.1 The Processor keeps the entire critical processing path within the European Union. All sub-processors engaged for the electronic signature of the Power of Attorney, identity verification, hosting, error monitoring, transactional email and analytics process personal data exclusively in the EU/EEA.

8.2 Where, exceptionally, the engagement of a sub-processor entails a transfer of personal data to a third country, the Processor ensures that the transfer is covered by (a) an adequacy decision under Article 45 GDPR, (b) the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) supplemented by additional safeguards where required, or (c) another valid transfer mechanism under Chapter V GDPR. A Transfer Impact Assessment (TIA) is then performed and is available on request.

9. Personal data breach notification

9.1 The Processor notifies the Controller without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting the Controller’s personal data.

9.2 The notification will include (a) a description of the nature of the breach, (b) the categories and approximate number of data subjects and personal data records concerned, (c) the likely consequences, and (d) the measures taken or proposed to address the breach.

10. Audits and inspections

10.1 Routine audit. The Processor allows the Controller to verify compliance with this DPA, including by means of inspections, no more than once per calendar year, with at least 30 days’ prior written notice, during ordinary business hours, and without unreasonable disruption to the Processor’s operations.

10.2 Cause-based audit. In addition to the routine audit in 10.1, the Controller may at any time conduct an extraordinary audit with at least 10 business days’ prior written notice in the event of (a) a documented personal-data breach affecting the Controller’s data, (b) an order or formal request of a competent supervisory authority addressed to the Controller, or (c) any other documented reasonable suspicion of a material breach of this DPA by the Processor. The Controller bears the cost of the extraordinary audit unless the suspicion is materially substantiated.

10.3 The Processor may satisfy routine audit requirements by providing relevant certifications (e.g. ISO 27001 of the hosting provider), the current TOM documentation and written responses to a Controller questionnaire.

11. Liability and direct GDPR liability

11.1 Contractual liability of the Parties under this DPA is governed by the provisions of the underlying Terms of Service, including the liability cap.

11.2 Direct liability under Article 82 GDPR. The contractual cap in Section 11.1 applies only to the contractual relationship between the Parties. It does not apply to and does not limit the direct statutory liability of either Party to a data subject under Article 82 GDPR, nor to any other liability that cannot be limited by contract under mandatory Union or Member State law.

12. Governing law

This DPA is governed by the laws of the Federal Republic of Germany. Exclusive jurisdiction is Berlin, Germany.

13. Severability and precedence

13.1 If any provision of this DPA is or becomes invalid, the remaining provisions remain in force.

13.2 In case of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

Annex 1 — Technical and Organisational Measures (TOMs)

The Processor implements the technical and organisational measures pursuant to Article 32 GDPR documented in the separate Usantis Technical and Organisational Measures document, which forms an integral part of this DPA and is current at the date of acceptance.

Summary

  • Encryption in transit (TLS 1.3) and at rest; field-level AES-256-GCM for sensitive personal data.
  • Role-based access control with mandatory MFA for administrative access; row-level security in PostgreSQL for multi-tenancy.
  • Append-only audit log with cryptographic hash chain for tamper evidence.
  • Daily encrypted backups; quarterly restore tests; RPO ≤ 24h, RTO ≤ 8h.
  • Quarterly dependency scans, annual external penetration test, biannual access reviews.
  • Personnel confidentiality undertakings, security training on hire and annually.

Annex 2 — Sub-Processors

The following sub-processors are engaged in the provision of the Service. Changes to this list are notified in line with Section 7.

Sub-processorPurposeLocationTransfer mechanism
Hetzner Online GmbHHosting infrastructure, backupsGermany / FinlandEU
Cloudflare, Inc.Edge proxy, CDN, DNSUSAEU-US DPF (SCCs fallback)
Stripe, Inc.Payment processing, Stripe Tax, identity verification (Stripe Identity)USAEU-US DPF (SCCs fallback)
Resend Inc.Transactional email (EU region)EU / USAEU SCCs
Skribble AG (Skribble Deutschland GmbH)Electronic signature (SES) for Power of AttorneyGermany hosting (IONOS) / Switzerland seatCH adequacy decision Art. 45(1) GDPR
DeepL SETranslation of data subject requestsGermanyEU
Functional Software EU GmbH (Sentry)Application error monitoring (EU region)GermanyEU
Plausible Insights OÜCookieless analyticsEstoniaEU
Crisp IM SASCustomer helpdeskFranceEU

Changelog

  • v1.1 (24 May 2026) — Audit clause split into routine + cause-based; sub-processor notice period extended to 30 days with immediate objection for non-EU sub-processors; Article 82 GDPR carve-out from contractual cap made explicit; Annex 1 TOMs summarised with reference to standalone document.
  • v1.0 (24 May 2026) — Initial publication.

← Back to homepage