Data Processing Agreement (DPA)
Last updated: March 2026
1. Subject matter and duration of processing
This Data Processing Agreement (DPA) governs the processing of personal data by Dominik Schwarz Ventures GmbH (hereinafter "processor") on behalf of the customer (hereinafter "controller") in connection with the use of Questee.
Processing takes place for the duration of the controller's use of the service. This DPA ends upon termination of the contractual relationship.
2. Nature and purpose of processing
The processor processes personal data for the purpose of:
- Providing the Questee platform (forms, surveys, funnels)
- Storage and management of form responses
- AI-assisted analysis and summarisation of responses (only when activated by the controller)
- Email notifications and invitations
- Payment processing via third parties
3. Types of personal data
The following data categories are processed:
- Contact data (name, email address)
- Form responses from respondents (content depends on the respective form)
- Usage data (IP address, browser type, timestamps)
- Payment data (via Stripe, no direct storage of credit card data)
4. Categories of data subjects
- Customers of the controller (form creators)
- Respondents (persons filling out forms)
- Workspace members of the controller
5. Obligations and rights of the controller
The controller is responsible for the lawfulness of the data processing. The controller ensures that data subjects are informed about the processing and that any required consent is obtained. The controller has the right to issue instructions regarding the nature, scope, and procedure of the processing.
6. Bound by instructions
The processor processes personal data only on documented instructions from the controller. Use of Questee in accordance with the terms of service constitutes an instruction. The processor informs the controller without undue delay if it believes that an instruction violates data protection law.
7. Confidentiality
The processor ensures that all persons with access to personal data are committed to confidentiality or are subject to an appropriate statutory duty of confidentiality. The confidentiality obligation continues after termination of the engagement.
8. Technical and organisational measures (TOMs)
The processor takes the following measures to protect personal data:
- Encryption: TLS 1.3 for all data transmissions, encryption of data at rest
- Access control: Row-Level Security (RLS) for strict tenant isolation in the database
- Authentication: Multi-factor authentication (TOTP, Passkeys/WebAuthn)
- Hosting: Servers in Germany (Hetzner), GDPR-compliant
- DDoS protection: Cloudflare CDN with Web Application Firewall
- Rate limiting: Token-bucket-based protection against abuse
- Security headers: Content-Security-Policy, HSTS, Permissions-Policy
- PII masking: Automatic masking of personal data before AI processing
- Error tracking: Own system on our own server (no third parties)
- Backups: Regular encrypted database backups
9. Sub-processors
The controller agrees to the use of the following sub-processors. The processor will inform the controller of any changes in good time.
| Company | Purpose | Location | Safeguards |
|---|---|---|---|
| Hetzner Online GmbH | Server-Hosting, Datenbank | Deutschland | DSGVO (EU) |
| Cloudflare Inc. | CDN, DDoS-Schutz | USA | EU-Standardvertragsklauseln (SCCs) |
| Stripe Inc. | Zahlungsverarbeitung | USA | EU-Standardvertragsklauseln (SCCs) |
| Anthropic PBC | AI-Analyse (nur bei Aktivierung + Einwilligung) | USA | EU-Standardvertragsklauseln (SCCs) |
| Brevo (Sendinblue) | E-Mail-Versand (Einladungen, Benachrichtigungen) | Deutschland / Frankreich | DSGVO (EU) |
10. Support with data subject rights
The processor supports the controller in fulfilling requests from data subjects (access, rectification, erasure, data portability, objection). Requests received directly by the processor will be forwarded to the controller without delay.
11. Notification of data breaches
The processor notifies the controller without undue delay after becoming aware of a personal data breach. The notification includes the nature of the breach, affected data categories, estimated number of affected persons, and measures taken.
12. Deletion and return after contract end
After termination of the contract, the processor will delete all personal data unless statutory retention obligations apply. Before deletion, the controller may request an export of their data (JSON/CSV). Deletion takes place within 30 days of contract end at the latest.
13. Audit rights
The controller has the right to verify compliance with this DPA. The processor provides the controller with all information necessary to demonstrate compliance with the obligations under Art. 28 GDPR and allows audits, including inspections. Audits are to be conducted with reasonable prior notice.
14. Contact
Dominik Schwarz Ventures GmbH
Waldemarstr. 5b, 10179 Berlin, Deutschland
E-Mail: [email protected]