DPA (Data Processing Agreement)

As soon as a hosting provider processes personal data on your behalf (customer data in the DB, log files with IP addresses, backups with user content), Art. 28 GDPR mandates a written Data Processing Agreement (DPA, German: AVV). Mandatory content: subject and duration of processing, type and purpose, categories of personal data and data subjects, technical and organisational measures, sub-processor list with consent requirement, audit/inspection rights, data deletion after contract end. Reputable hosts (netcup, Hetzner, IONOS, Cloud86) provide the DPA digitally in the customer portal — accept with one click, prefilled with your company data, immediately saved as PDF. Without a signed DPA the processing is formally unlawful — fine risk up to €10 million or 2 % of annual turnover.