Data Processing Agreement
Preamble
This Data Processing Agreement (DPA) governs the rights and obligations in connection with the processing of personal data by the Processor on behalf of the Controller.
- Controller: The customer (hereinafter "Controller")
- Processor: NeuronForge UG (haftungsbeschränkt), Brillenburgsweg 7, 21614 Buxtehude, Germany (hereinafter "Processor")
This DPA supplements the Terms of Service (Main Agreement) and takes effect upon conclusion of the Main Agreement.
§ 1 Subject Matter and Duration
(1) Subject matter: Provision of the SaaS platform StreamLain for storage and processing of workspace data on behalf of the Controller.
(2) Duration: This DPA applies for the term of the Main Agreement. It terminates automatically upon termination of the Main Agreement, without prejudice to the obligations regarding deletion and return pursuant to § 11.
§ 2 Nature and Purpose of Processing
The Processor processes personal data exclusively for the purpose of:
- Storage and processing of workspace data (documents, canvas, databases, files)
- Provision of AI features (Copilot, AI nodes) upon user instruction
- Automation of workflows (n8n-based automations)
- Real-time collaboration between workspace members
- Authentication and access control
§ 3 Types of Personal Data
The following categories of personal data are processed:
- Master data: Name, email address, profile picture
- Content data: Documents, database entries, files, canvas elements
- Usage data: IP address (truncated), browser, access times
- Communication data: Comments, notifications
- Payment data: Billing address, payment method (via Stripe)
§ 4 Categories of Data Subjects
- Employees and members of the Controller
- Guests (invited external users with limited access)
- Third parties whose personal data is stored in workspace content
§ 5 Obligations of the Controller
The Controller is responsible for:
- The lawfulness of data processing and safeguarding data subject rights
- Issuing instructions to the Processor
- Promptly informing the Processor of any errors or irregularities
- Designating a contact person for data protection matters
§ 6 Instructions
(1) The Processor shall process personal data only on documented instructions from the Controller. Instructions are generally issued through the use of platform features.
(2) If the Processor believes that an instruction infringes data protection law, it shall promptly notify the Controller. The Processor is entitled to suspend execution of the instruction until confirmed by the Controller.
(3) Instructions that go beyond the contractual services must be issued in writing or by email.
§ 7 Confidentiality
(1) The Processor ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(2) Access to the Controller's personal data is granted only to employees who require it to fulfill their duties.
§ 8 Technical and Organizational Measures
The Processor implements the technical and organizational measures described in Annex 1 pursuant to Art. 32 GDPR. The Processor regularly reviews these measures and adapts them to the state of the art.
§ 9 Sub-Processors
(1) The Controller consents to the engagement of the sub-processors listed in Annex 2.
(2) The Processor shall inform the Controller at least 30 days before any intended change or addition of sub-processors. The Controller may object to the change for important data protection reasons within 14 days.
(3) The Processor shall conclude a contract with each sub-processor that provides at least the same level of data protection obligations as this DPA.
§ 10 Assistance with Data Subject Rights
(1) The Processor assists the Controller in fulfilling requests from data subjects (Art. 15–22 GDPR) through appropriate technical and organizational measures.
(2) Incoming requests from data subjects are forwarded by the Processor to the Controller without undue delay, within 48 hours at the latest.
§ 11 Data Breach Notification
(1) The Processor shall notify the Controller without undue delay, within 24 hours of becoming aware, of any personal data breach (Art. 33 GDPR).
(2) The notification shall include all relevant information pursuant to Art. 33(3) GDPR, in particular the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and remedial measures taken.
§ 12 Assistance with GDPR Obligations
The Processor assists the Controller upon request in conducting data protection impact assessments (Art. 35 GDPR) and prior consultation with the supervisory authority (Art. 36 GDPR) by providing relevant information.
§ 13 Deletion and Return
(1) After termination of the Main Agreement, the Processor makes the Controller's data available for export for 30 days.
(2) After expiration of the 30-day period, all personal data of the Controller is irrevocably deleted, including all copies and backups.
(3) The Processor confirms deletion in writing upon request.
§ 14 Audit Rights
(1) The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.
(2) The Processor allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits shall be conducted with reasonable prior notice (at least 14 days).
Annex 1: Technical and Organizational Measures
Confidentiality
- Physical access control: Servers hosted by Hetzner Online GmbH in certified German data centers (ISO 27001)
- Logical access control: Role-based access control (RBAC) on three levels (workspace → folder → document)
- Data access control: PostgreSQL row-level security (RLS), two-factor authentication (TOTP), device trust
- Separation control: Multi-tenant architecture with logical data separation per workspace
Integrity
- Input control: Comprehensive audit systems (6 independent audit logs) for complete traceability
- Transfer control: TLS 1.3 for all data transmissions, HMAC-SHA256 for payload verification
Availability and Resilience
- Availability: 99.5% SLA target (annual average), Kubernetes cluster for fault tolerance
- Resilience: Auto-scaling of the application layer
- Recoverability: Daily database backups, tested restore procedures
Encryption
- Transport encryption: TLS 1.3 for all connections
- Encryption at rest: AES-256-GCM for sensitive data (API keys, TOTP secrets, certificates)
- Passwords: bcrypt hashing (OWASP compliant), no plaintext storage
Regular Review Procedures
- Regular security audits and code reviews
- Automated dependency scans for known vulnerabilities
- Monitoring and alerting for security-relevant events
Annex 2: Sub-Processors
| Sub-Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting, database, object storage | Germany (Nuremberg/Falkenstein) | DPA |
| Amazon Web Services EMEA SARL | AI inference via Bedrock (Claude) | Luxembourg / eu-central-1 Frankfurt | AWS DPA |
| Google Cloud EMEA Limited | AI inference via Vertex AI (Gemini), OAuth authentication | Ireland / europe-west3 Frankfurt | GCP CDPA |
| Stripe Ireland Limited | Payment processing | Ireland (EU-US DPF) | Stripe DPA |
| Cloudflare, Inc. | DNS, CDN, DDoS protection | USA (EU-US DPF) | Cloudflare DPA + SCCs |
| BunnyWay d.o.o. (bunny.net) | CDN, DDoS protection | Slovenia (EU) | Individually signed DPA |
Changes to the sub-processor list will be communicated to the Controller at least 30 days before they take effect. The current list is always available on this page.
Contact for data protection inquiries: hello@streamlain.de