Data Processing Agreement (AVV) — snori
Courtesy English translation. The German version (Deutsche Fassung) is the legally controlling text.
Effective from: 2026-07-02
This agreement supplements snori's General Terms and Conditions (AGB), in particular Section 12 (data protection, data processing). It applies to the processing of personal data that the Customer stores in their workspace (workspace Content). For account, contract, payment, and support data, snori is itself the controller; the separate privacy policy applies to that data, not this agreement.
between
the user of the snori platform (the "Client" or "Controller")
and
INREMA Unternehmensberatung GmbH Rentmeister-Wilhelm-Weg 16, 33181 Bad Wünnenberg, Germany represented by managing director Tanja Rüdiger HRB 14352, Amtsgericht Paderborn · VAT ID DE328873726 (the "Processor" or "snori")
— together "the Parties" —
the following data processing agreement pursuant to Art. 28 GDPR is concluded.
Section 1 Subject matter and duration of processing
(1) Subject matter: the Processor processes personal data on behalf of the Controller in connection with providing the "snori" software-as-a-service platform — specifically the storage, processing, and provision of Content the Controller places in their workspace, including access via the App connection to an external AI system that the Controller connects themselves (see Section 7(3)).
(2) Duration: this agreement applies for the duration of the usage contract (AGB) between the Parties. It ends automatically when that contract ends, but not before all post-contractual obligations have been fulfilled (in particular deletion or return under Section 5.6).
Section 2 Nature and purpose of processing
Nature of processing: collecting, storing, retrieving, altering, transmitting, and erasing personal data in the course of system operation, including full-text and semantic indexing for search and filing functions.
Purpose: providing the functionality of the snori platform as described in the main contract (AGB Section 2) — storage and organization of documents, notes, and structured tables, and read and/or write access to them by an external AI system connected by the Controller themselves.
Section 3 Categories of personal data
The following categories of data may in particular be processed under this agreement, to the extent the Controller places them in their workspace:
- Documents, notes, and table content entered by the Controller (free text, any content of the Controller's choosing)
- Metadata relating to this Content (timestamps, version history, page-tree structure)
- Access and audit logs for the App connection (which connected AI system read or wrote which content, and when)
The Controller is responsible for not entering special categories of personal data (Art. 9 GDPR) or other particularly sensitive data without themselves ensuring the necessary legal basis and, where applicable, a data protection impact assessment (cf. AGB Section 12(3), 11-produktkonzept.md Section 2.2).
Section 4 Categories of data subjects
The Controller themselves, as well as individuals about whom the Controller enters data in their workspace (e.g. the Controller's contacts, customers, employees), and invited members of a shared workspace (cf. 11-produktkonzept.md Section 2.4).
Section 5 Obligations of the Processor
5.1 Bound by instructions The Processor processes personal data exclusively on the Controller's documented instructions. This agreement, together with use of the platform in accordance with the account and permission settings made by the Controller, constitutes a documented instruction. Additional instructions require text form. If the Processor considers an instruction to violate the GDPR or other data protection law, it will inform the Controller without undue delay.
5.2 Confidentiality The Processor ensures that persons authorized to process the data are bound to confidentiality or subject to an appropriate statutory duty of confidentiality.
5.3 Technical and organizational measures The Processor implements the measures required under Art. 32 GDPR (see Annex 1 — TOMs) and reviews and updates them regularly.
5.4 Sub-processors The Processor engages sub-processors only as listed in Annex 2 (subprocessor list). The Processor will announce changes to this list at least 30 days in advance; the Controller may object to the change within this period and, in the event of objection, is entitled to terminate the main contract for cause. External AI systems connected by the Controller themselves are not sub-processors of the Processor — see Section 7(3).
5.5 Assisting the Controller The Processor assists the Controller, to the extent technically possible and reasonable, in fulfilling data subject requests (access, rectification, erasure, restriction, portability) and in complying with the obligations under Art. 32 to 36 GDPR.
5.6 Deletion and return Upon termination of the processing, the Processor deletes all of the Controller's personal data or returns it, unless a statutory retention obligation precludes this. Specifically, the mechanism set out in AGB Section 13(4) applies: workspace Content as well as all chats, conversation histories, and other records (including interactions with the support chatbot referred to in Section 7(4)) are deleted from the active system without undue delay upon deletion of the account; backup copies are retained for 30 days and then irrevocably deleted; the statutory retention period of 10 years applies to invoicing and accounting data (Section 147 AO, Section 257 HGB) — no personal data beyond what these records require is stored alongside them. The Controller may export their Content at any time before deletion (AGB Section 13(3)).
5.7 Audits and evidence The Processor provides the Controller with the information necessary to demonstrate compliance with this agreement and enables reasonable audits by the Controller or an auditor engaged by the Controller. Audits must be announced with at least 14 days' notice and must not unreasonably impair operations.
Section 6 Obligations of the Controller
- The Controller is the controller within the meaning of the GDPR for the Content they place in their workspace and bears responsibility for the lawfulness of the processing, including the decision as to which external AI system is granted access (cf. AGB Sections 8, 9).
- The Controller issues instructions exclusively in text form.
- The Controller informs the Processor without undue delay upon discovering errors or irregularities in the processing.
- The Controller is responsible for compliance with data protection law on their own side, in particular for establishing a legal basis for processing special categories of personal data, should they enter such data.
Section 7 Sub-processing relationships and third-country transfers
(1) The following sub-processors are approved as of the conclusion of this agreement (full details in Annex 2):
| Provider | Purpose | Location |
|---|---|---|
| IONOS SE | Hosting (Webserver2), infrastructure, including backup storage exclusively on its own infrastructure | Germany (Frankfurt) |
| Cloudflare, Inc. | Pure network proxy for DDoS/WAF protection — no persistent storage or caching of workspace Content | USA (Standard Contractual Clauses) |
| Stripe Payments Europe, Ltd. | Payment processing | Ireland (EU); US parent Stripe, Inc. for any resulting third-country processing (Standard Contractual Clauses) |
| OpenAI Ireland Limited | AI model (GPT, via the commercial OpenAI API) for the support chatbot in the help section (see paragraph 4) | Ireland (EU); affiliated US entity (OpenAI OpCo, LLC) for any resulting processing (Standard Contractual Clauses) |
(2) Transfers to third countries (the USA) occur, where applicable, for Cloudflare, for Stripe, and for the OpenAI API processing underlying the support chatbot, on the basis of Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
(3) Externally connected AI systems are not sub-processors of the Processor. The Controller independently connects an external AI system of their own choosing (e.g. ChatGPT, Claude, Gemini, Perplexity, or comparable third-party services) to their workspace via the App. The Processor does not select this AI system, does not conclude its own data processing agreement with its provider, and has no influence over its processing. In this respect, the Controller is themselves responsible for establishing the necessary data protection basis with the AI provider of their choice (the Controller's own contract with that provider, and, where applicable, a separate data processing agreement between the Controller and the AI provider). This corresponds to AGB Sections 8 and 9.
(4) By contrast, the AI-assisted support chatbot in the help section (AGB Section 16(3)) is a sub-processor of the Processor in its own right, since the Processor itself selects, deploys, and is responsible for it — unlike the AI connected by the Controller under paragraph (3). OpenAI is used, exclusively via the commercial OpenAI API (not the consumer ChatGPT interface), under a commercial API agreement. Under the applicable OpenAI API terms of use, inputs and outputs are not used to train OpenAI models; processing occurs solely to answer the respective request (stateless, per conversation).
Section 8 Personal data breaches
The Processor notifies the Controller without undue delay, and no later than 24 hours after becoming aware, of a breach of the security of personal data affecting the Controller's workspace Content (cf. AGB Section 12(5)). The notification includes, to the extent known: the nature of the breach, the categories of data and data subjects affected, the likely consequences, and the measures taken or proposed. Notifying the competent supervisory authority (Art. 33 GDPR) and informing affected data subjects (Art. 34 GDPR) is the responsibility of the Controller; the Processor assists as necessary.
Section 9 Liability
The liability provisions of Art. 82 GDPR in conjunction with Section 11 of snori's AGB apply.
Section 10 Final provisions
(1) Should individual provisions of this agreement be invalid, this does not affect the validity of the remaining provisions.
(2) German law applies. Section 17 of snori's AGB applies correspondingly for jurisdiction.
Annex 1: Technical and organizational measures (TOMs)
Pursuant to Art. 32 GDPR, as specified in 13-sicherheitsarchitektur.md:
- Hosting isolation: a dedicated, isolated container and database on Webserver2 (IONOS Frankfurt), no container or database shared with other projects operated there.
- Tenant separation: Row-Level Security (RLS) as the primary, database-enforced tenant boundary (
tenant_id/workspace_id), backed by a dedicated test suite against isolation violations. - Encryption: disk encryption as well as TLS for all data transmission; field-level encryption for individual, particularly sensitive attributes where a concrete need arises.
- Backup storage: backup copies are stored exclusively on the Processor's own infrastructure (Webserver2/IONOS); no further third-party backup storage is used. Retention period: 30 days, after which they are irrevocably deleted.
- Network hardening: the origin server is reachable only via Cloudflare (IP-range firewall), Cloudflare "Full (Strict)" mode with a dedicated origin certificate. Cloudflare acts solely as a network proxy (DDoS/WAF protection); no persistent storage or content caching of workspace Content by Cloudflare takes place.
- Server access: SSH by key only, no password login, no direct root login, Fail2ban/rate limiting.
- Database: not publicly reachable, accessible only from the private network via the app/gateway container.
- Internal access control: access by the Processor's staff to stored Content is technically and organizationally limited to the minimum necessary for operations and support (need-to-know principle, personalized access, logging of sensitive access).
- App/account security: optional/enforceable two-factor authentication, login notifications for new devices/IPs, an overview and individual revocation of active App connections (connector sessions) available to the Controller themselves.
- Certification: hosting in a data center in Germany certified to ISO/IEC 27001.
Annex 2: Subprocessor list
| Provider | Purpose | Location | Legal basis for third-country transfer |
|---|---|---|---|
| IONOS SE | Hosting (Webserver2), infrastructure, backup storage (own infrastructure only) | Germany (Frankfurt) | not applicable (EU/Germany) |
| Cloudflare, Inc. | Network proxy for DDoS/WAF protection — no persistent content storage | USA | Standard Contractual Clauses (Art. 46(2)(c) GDPR) |
| Stripe Payments Europe, Ltd. | Payment processing | Ireland (EU) | Standard Contractual Clauses where applicable, for processing by US parent Stripe, Inc. |
| OpenAI Ireland Limited | AI model (GPT, commercial API) for the support chatbot in the help section, used solely to answer individual user requests (no training, no storage beyond answering) | Ireland (EU) | Standard Contractual Clauses where applicable, for processing by affiliated US entity (OpenAI OpCo, LLC) |
Changes to this list are announced at least 30 days in advance (Section 5.4).
Note: external AI systems connected by the Controller themselves are not on this list — see Section 7(3). The support chatbot provider, by contrast, is a sub-processor of the Processor in its own right (Section 7(4)).