Data Processing Agreement (DPA)
Platform: Auftragr (auftragr.de)
Pursuant to Art. 28 GDPR
1. Subject and Duration
This DPA governs the processing of personal data by BlackSwanAI ("Processor") in connection with the use of the Auftragr platform ("Service") by the customer ("Controller"). Processing occurs for the duration of Service use. This DPA is specific to the Auftragr platform and its technical infrastructure.
2. Nature and Purpose of Processing
Processing includes: storage and processing of user profile data, matching against public tender data, AI-powered analysis of procurement procedures (KO criteria, VOB risk assessment, competition density), delivery of email briefings. Processing serves exclusively the provision of the contractually agreed service.
3. Categories of Personal Data
| Category | Data Fields | Legal Basis | Retention |
|---|---|---|---|
| Account Data | Name, email, password (bcrypt-hashed) | Art. 6(1)(b) | Until account deletion |
| Company Data | Company name, website, size, industry, phone | Art. 6(1)(b) | Until account deletion |
| Construction DNA Profile | Trade, specializations, regions, CPV codes, VOB experience | Art. 6(1)(b) | Until account deletion |
| Pipeline Data | Saved tenders, evaluations, notes | Art. 6(1)(b) | Until account deletion |
| Usage Data | Page views, clicks, search terms, pipeline actions | Art. 6(1)(f) | 90 days |
| Feedback | Bug reports, feature requests, ratings | Art. 6(1)(b) | Until account deletion |
4. Subprocessors — Auftragr Technology Stack
The following subprocessors are specifically used for the Auftragr platform:
| Provider | Purpose | Location | Data Processed | Safeguard |
|---|---|---|---|---|
| Neon Inc. | PostgreSQL database (App DB + Intelligence DB) | EU (Frankfurt, eu-central-1) | All account data, profiles, pipeline | EU region, RLS, encryption |
| Netlify Inc. | Hosting (Next.js), file storage (Blobs) | EU | Uploaded documents, static assets | EU region |
| Groq Inc. | AI analysis (Llama 3.3 70B): KO criteria, VOB risk, competition density | USA | Public tender texts only — no PII | SCC, no PII transfer |
| one.com | SMTP email delivery | EU (Denmark) | Email address, briefing content | EU provider |
| GitHub Inc. | Code hosting, CI/CD (Netlify deployment) | USA | Source code — no user data | SCC, no PII |
SCC = EU Standard Contractual Clauses per Implementing Decision (EU) 2021/914. For US-based services, only public tender texts or code are processed — no personal user data.
5. Technical and Organizational Measures (TOMs)
- Access control: Row Level Security (RLS) at PostgreSQL level — each user can only see their own data. 8 tables protected, 16 policies, FORCE ROW LEVEL SECURITY active.
- Encryption: TLS 1.3 for all data in transit, AES-256 at rest (Neon), bcrypt with 12 rounds for passwords
- Authentication: NextAuth.js with JWT, 30-day session expiry, email verification before activation
- Middleware: Global auth middleware protects /api/dashboard/*, /api/profile/*, /api/admin/*
- Rate limiting: IP-based rate limiting on login and registration endpoints
- Email validation: German business email addresses only (.de/.at/.ch/.eu) — no freemail providers
- Admin control: Super admin can approve, deny, revoke and deactivate users
- Audit trail: Event tracking system with 12 event types, stored in user_events
6. Data Subject Rights
- Access (Art. 15): Settings → Export Data (JSON with all 7 tables)
- Portability (Art. 20): Complete JSON export: profile, pipeline, events, feedback, documents
- Erasure (Art. 17): Settings → Delete Account — cascading deletion across all 8 RLS-protected tables
- Objection (Art. 21): Email to info@blackswanai.de
7. AI Processing (EU AI Act Transparency)
Auftragr uses the AI model Llama 3.3 70B (via Groq) to analyze public tender data. The AI processes exclusively publicly available texts — no personal user data is sent to AI services. AI-generated results (KO criteria checklists, VOB risk assessments, competition density analyses, win categories) serve as decision support. No automated individual decision-making within the meaning of Art. 22 GDPR takes place. All AI results are displayed as such in the dashboard.
8. Data Deletion upon Termination
Upon termination of use, all personal data is deleted within 30 days. Users can perform immediate deletion at any time via Settings. Public tender data (non-personal) is retained for statistical purposes as it originates from publicly accessible sources (TED, Bund.de, DTVP).
Last updated: April 2026 | Platform: Auftragr (auftragr.de) | Operator: BlackSwanAI, Erlangen | info@blackswanai.de