Last updated: June 10, 2026
1. Scope and incorporation
This Data Processing Agreement ("DPA") forms part of the dossaro Terms of Service and applies automatically only when a business customer uses dossaro to process Customer Personal Data on documented instructions for the customer's own purposes. It is intended to satisfy Article 28 GDPR for processor processing. In this DPA, the customer is the "Customer" and controller, and Hagen Hoferichter, Reuterstr. 1, 12053 Berlin, Germany, acting under the trade name dossaro, is the "Processor".
dossaro remains an independent controller for account administration, billing, payment records, security, abuse prevention, customer communications, service administration, product operations, customer references and other purposes described in the Privacy Policy. This DPA does not apply to those controller activities.
2. Definitions and order of precedence
"Customer Personal Data" means personal data that dossaro processes as processor on behalf of Customer through the service. "Data Protection Laws" means the GDPR, the German Federal Data Protection Act and other data-protection laws applicable to the relevant processing. Terms such as controller, processor, personal data, processing, personal data breach and supervisory authority have the meanings given in the GDPR.
If this DPA conflicts with the Terms, this DPA controls only for processor processing of Customer Personal Data. The Terms continue to govern commercial terms, service scope, credits, disclaimers and liability limits to the extent legally permitted.
3. Processing instructions
dossaro will process Customer Personal Data only on Customer's documented instructions, including through the Terms, this DPA, product configuration, MCP tool calls, prompts, support requests and other lawful written instructions accepted by dossaro. dossaro may refuse instructions that it reasonably believes are unlawful, technically infeasible, outside the service scope, harmful to source systems or inconsistent with the Terms.
Customer is responsible for ensuring that its instructions, prompts, source requests, exports, downstream systems, downstream uses, notices, assessments and legal bases comply with Data Protection Laws, source-register terms and third-party connector terms.
4. Processor obligations
- dossaro will ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations.
- dossaro will implement and maintain appropriate technical and organizational measures as summarized in Annex II.
- dossaro will assist Customer, taking into account the nature of processing and information available to dossaro, with data-subject requests and Customer's obligations under Articles 32 to 36 GDPR.
- dossaro will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
- dossaro will make available information reasonably necessary to demonstrate compliance with Article 28 GDPR, subject to confidentiality, security, third-party restrictions and reasonable scope limits.
- dossaro will delete or return Customer Personal Data after the end of processor services unless retention is required by law, needed for legal claims, or covered by dossaro's independent controller purposes.
5. Subprocessors
Customer gives general authorization for dossaro to use subprocessors for the service. dossaro will impose data-protection obligations on subprocessors that are substantially equivalent to those in this DPA, to the extent applicable to the subprocessor's role.
dossaro may add or replace subprocessors by updating this DPA page or otherwise notifying Customer where appropriate. Customer may object on reasonable data-protection grounds by emailing privacy@dossaro.com within 14 days after notice. If the objection cannot be resolved reasonably, dossaro may suspend the affected processing or Customer may stop using the affected feature.
6. Audits and documentation
Customer's audit rights are documentation-first and remote-first. dossaro may satisfy audit requests by providing this DPA, the Privacy Policy, subprocessor information, technical and organizational measure summaries, written responses, available provider documentation, policies, certificates, reports or other reasonable evidence. Any additional audit must be limited to processor processing of Customer Personal Data, occur no more than once per year unless legally required or following a confirmed breach, and must not compromise security, confidentiality, other customers or third-party systems.
On-site, intrusive, production-system, source-code, infrastructure-console or provider-console audits are excluded unless legally required and specifically scoped to processor processing of Customer Personal Data under appropriate confidentiality, security and access controls.
7. International transfers
dossaro and its subprocessors may process Customer Personal Data outside the European Economic Area. Where Data Protection Laws require a transfer mechanism, dossaro will rely on adequacy decisions, the EU-US Data Privacy Framework where applicable, standard contractual clauses, data processing agreements or another lawful transfer safeguard.
8. Liability and term
This DPA remains in effect while dossaro processes Customer Personal Data as processor. Liability under this DPA is subject to the exclusions, limitations and mandatory carve-outs in the Terms to the maximum extent permitted by law.
Annex I: Processing details
| Subject matter | MCP-based public-register research, source retrieval, document parsing, OCR and model-assisted extraction, usage logging, support and credit enforcement. |
| Duration | The account term plus any additional period required for service operation, legal compliance, billing, security, dispute handling, source integrity, auditability, deletion or restriction workflows, legal claims or dossaro's independent controller purposes. |
| Purpose | Provide requested research output, source trails, source limitations, source retrieval, document parsing, OCR, model-assisted extraction, support, account operations, security controls and credit or quota enforcement. |
| Data subjects | Customer users, admins and support contacts; persons named in Customer prompts; and persons appearing in public-register records, public filings, source documents or extracted research output. |
| Data categories | Account, contact and authentication data; prompts and tool calls; public-register names, roles, addresses, register numbers, filings, shareholding data, source URLs, source hashes and source metadata; document text; parser metadata; usage, security and diagnostic logs. |
| Special categories | Not intended. Customer must not submit special-category personal data, criminal-offense data, secrets, credentials, private keys, private investigative data or highly sensitive personal data unless lawful, necessary and covered by suitable safeguards. |
Annex II: Technical and organizational measures
- Authenticated account access, session controls and customer-controlled connector authorization.
- Least-privilege access practices for service administration, support handling and provider consoles.
- TLS for network transport and provider-managed encryption for hosted storage where available.
- Secrets management through deployment-provider secret stores rather than public source code.
- Operational logging, monitoring, quota controls, rate controls, credit enforcement and abuse-prevention controls.
- Provider backup, durability, availability and recovery controls for managed infrastructure where available.
- Incident triage and breach-notification workflow for confirmed personal data breaches.
- Data-subject request, deletion, return or restriction workflows for account and research data where technically feasible and legally required.
- Source attribution, source limitation display and bounded public-register retrieval to reduce unsupported inference risk.
- Documentation-first audit support through this DPA, subprocessor information, written responses and available provider documentation.
Annex III: Subprocessors and third-party environments
| Provider | Role | Processing categories | Transfer position |
|---|---|---|---|
| Cloudflare | Hosting, edge delivery, Workers, storage, routing, security and operational infrastructure. | Website, service, log, routing, storage and security data. | Default infrastructure provider; may process outside the EEA under applicable safeguards. |
| Supabase | Authentication, session handling, account data, usage records and database services. | Account, authentication, session, usage, credit and service database records. | Default service provider; may process outside the EEA under applicable safeguards. |
| Stripe | Checkout, billing, invoices, customer portal, payment processing, tax and fraud-prevention records. | Billing, payment, tax, invoice, subscription, fraud-prevention and customer portal records. | Default billing provider; may process outside the EEA under applicable safeguards and payment-network requirements. |
| Modal | Document retrieval, OCR, parsing and compute workers for register-document workflows. | Source requests, public-register document data, OCR, extracted text, parser metadata and related compute records. | Default or feature-specific compute provider; may process outside the EEA under applicable safeguards. |
| Google/Gemini | OCR, extraction or model fallback where those features use Google-hosted model services. | Document text, source snippets, extraction context, prompts or model input needed for enabled OCR or extraction workflows. | Feature-specific provider; may process outside the EEA under applicable safeguards. |
OpenAI/ChatGPT, Anthropic/Claude and other MCP clients are customer-selected third-party environments when Customer connects dossaro through those services. They are not default dossaro subprocessors for the service; Customer controls that provider relationship. Public registers, public APIs and source portals are independent source systems used to retrieve requested public records and are not dossaro subprocessors.