Data Processing Agreement (DPA)

This Data Processing Agreement (hereinafter "DPA") is entered into between the controller (the registered user of the SwiftCheck platform) and the processor Neurolytics GmbH i.G., Jochen Wingerter, Im Storchennest 24, 76872 Erlenbach, Germany (hereinafter "Processor").

This DPA sets out the data protection obligations of the parties in connection with the use of the AI-powered letter of credit compliance platform SwiftCheck.

The Processor processes personal data on behalf of the Controller in accordance with Art. 28 GDPR. The nature, scope and purpose of the data processing are set out in the service agreement and the Privacy Policy.

Categories of data: Document content (PDFs), business data from letters of credit and shipping documents, email addresses, usage metadata.

Categories of data subjects: Employees and contractual partners of the Controller to the extent mentioned in documents.

Duration: Processing takes place for the duration of the service agreement. After termination, all data will be deleted in accordance with § 7 of this DPA.

The Processor shall process personal data only on documented instructions from the Controller — including with regard to transfers to a third country — unless required to do so by Union or Member State law.

The Processor has implemented the following technical and organisational measures:

• Encryption at rest: AES-256-GCM for all uploaded documents
• Encryption in transit: TLS 1.2+ (HTTPS) for all connections
• Pseudonymisation: IP addresses and user IDs in the audit log as SHA-256 hashes
• Access control: Role-based access model, HTTP-only JWT cookies
• Data minimisation: Temporary plaintext files are deleted immediately after processing
• Server location: Germany (Hetzner Online GmbH, data centre DE)
• Passwords: bcrypt with cost factor 12, never stored in plaintext
• Backup: Daily database backup, encrypted

The Processor shall bind all persons involved in the processing to confidentiality and shall ensure they are instructed on the applicable data protection requirements.

The Processor engages the following sub-processors:

• Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen — server hosting (Germany)
• Anthropic, PBC, 548 Market St., San Francisco, CA 94104, USA — AI analysis (Claude API). Transfer is carried out on the basis of Standard Contractual Clauses (SCCs). Anthropic does not use API inputs for model training.
• Resend, Inc. — transactional emails (invitations, password resets). Email addresses are used solely for sending the respective email.

The Controller hereby grants general authorisation for the use of these sub-processors. Changes will be communicated at least 30 days in advance.

The Processor shall assist the Controller in fulfilling its obligations under Art. 32–36 GDPR (security, personal data breaches, data protection impact assessments). In the event of a personal data breach, the Controller will be notified without undue delay, and no later than within 48 hours.

Upon termination of the service agreement or upon explicit request, the Processor shall completely and irrevocably delete all personal data of the Controller within 30 days. A return of data in machine-readable format can be provided upon request.

Enquiries regarding this DPA and data protection matters should be directed to:
kontakt@neurolytics-solutions.de

Neurolytics GmbH i.G. is not required to appoint a data protection officer pursuant to Art. 37 GDPR (sole proprietorship, <20 persons).