Legal Document

Data Processing Agreement

Last updated: 17 April 2026Neuverk UG (haftungsbeschränkt)GDPR Article 28 compliant
This Data Processing Agreement forms part of the VaultDoc Terms of Service and governs the processing of personal data.

This Data Processing Agreement (“DPA”) forms part of the agreement between Neuverk (“Processor”) and the customer using VaultDoc (“Controller”). It sets out the terms on which Neuverk processes personal data on behalf of the Controller in connection with the VaultDoc service, in accordance with Article 28 of the General Data Protection Regulation (GDPR) (EU) 2016/679.

By using VaultDoc, the Controller agrees to the terms of this DPA. Enterprise customers requiring a countersigned DPA should contact privacy@neuverk.com.

1. Definitions

  • “Controller” — the natural or legal person who determines the purposes and means of processing personal data (the VaultDoc customer).
  • “Processor” — Neuverk, which processes personal data on behalf of the Controller in connection with the VaultDoc service.
  • “Personal data” — any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
  • “Processing” — any operation performed on personal data as defined in GDPR Article 4(2).
  • “Sub-processor” — any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
  • “Data breach” — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

2. Subject Matter and Nature of Processing

Neuverk processes personal data on behalf of the Controller solely for the purpose of providing the VaultDoc service, which includes:

  • User authentication and account management
  • Storage and retrieval of compliance documents created by the Controller
  • AI-powered document generation using inputs provided by the Controller
  • Subscription billing and invoicing
  • Platform security, monitoring, and support

3. Categories of Data Subjects and Personal Data

Data subjects

Employees, contractors, and authorised users of the Controller who are granted access to VaultDoc.

Categories of personal data processed

  • Name and email address (account registration)
  • Authentication identifiers (SSO tokens)
  • Document content inputs provided by users
  • Usage and activity logs (timestamps, feature usage)
  • IP addresses and technical identifiers
  • Billing contact information and Stripe customer identifiers

Special categories of data

The Controller should not submit special category personal data (as defined in GDPR Article 9) to VaultDoc unless strictly necessary and appropriate safeguards are in place. Neuverk does not specifically process special category data as part of the core service.

4. Processor Obligations

Neuverk, as Processor, shall:

  • Process personal data only on documented instructions from the Controller, which include these Terms and the DPA, unless required to do so by applicable law
  • Ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32
  • Not engage sub-processors without prior general authorisation from the Controller (which is granted by acceptance of this DPA), subject to the conditions in Section 6
  • Assist the Controller in responding to requests from data subjects exercising their rights under GDPR Chapter III
  • Assist the Controller with its obligations under GDPR Articles 32-36 (security, breach notification, DPIA)
  • Delete or return all personal data to the Controller at the end of the service relationship, at the Controller's choice
  • Make available all information necessary to demonstrate compliance with this DPA and allow for audits

5. Technical and Organisational Measures

Neuverk implements the following technical and organisational security measures:

Encryption in transitAll data encrypted via HTTPS/TLS 1.2 or higher
Encryption at restDatabase encrypted at rest via Neon Postgres (AES-256)
Access controlsRole-based access; users can only access their own tenant data
AuthenticationMulti-factor authentication supported via Clerk; SSO available
PseudonymisationInternal user identifiers used; Clerk IDs not exposed in UI
AvailabilityHosted on Vercel with automated failover; Neon with high availability
Incident responseData breach notification procedure in place per GDPR Articles 33-34
Audit loggingKey user actions logged for security monitoring
Sub-processor reviewSub-processors assessed for GDPR compliance prior to engagement

6. Sub-processors

The Controller grants general authorisation for Neuverk to engage the following sub-processors. Neuverk will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.

Sub-processorPurposeLocationTransfer basis
AnthropicAI document generationUnited StatesSCCs (in progress)
ClerkAuthenticationUnited StatesSCCs / DPA
StripePayment processingUnited States / EUSCCs / DPA
NeonDatabase hostingGermany (Frankfurt)Within EU/EEA
VercelApplication hostingUnited States / EUSCCs / DPA

Note regarding Anthropic

Document inputs may be processed by Anthropic to generate outputs. Users should avoid submitting passwords, special category personal data, or highly confidential information unless and until an appropriate data processing and retention setup is confirmed. Neuverk is in the process of establishing Standard Contractual Clauses with Anthropic.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), Neuverk ensures appropriate safeguards are in place in accordance with GDPR Chapter V. The primary mechanism used is the European Commission's Standard Contractual Clauses (SCCs) (Commission Decision 2021/914).

The Controller acknowledges that some sub-processors (Anthropic, Clerk, Vercel) are based in the United States and that data may be transferred to the US in connection with the services they provide. Neuverk will maintain and update the appropriate transfer mechanisms as required by applicable law.

8. Data Breach Notification

In the event of a personal data breach affecting data processed under this DPA, Neuverk will:

  • Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach
  • Provide sufficient information to allow the Controller to meet its own notification obligations under GDPR Article 33
  • Cooperate with the Controller to investigate, mitigate, and remediate the breach
  • Document all breaches, including those that do not require notification

Breach notifications should be sent to privacy@neuverk.com. The Controller is responsible for notifying the relevant supervisory authority and affected data subjects where required.

9. Data Subject Rights

Where the Controller receives a request from a data subject exercising their rights under GDPR Chapter III (access, rectification, erasure, portability, restriction, objection), Neuverk will assist the Controller in fulfilling such requests to the extent technically feasible and within a reasonable timeframe.

Data subjects may exercise rights directly through the VaultDoc platform (e.g. account deletion, document deletion) or by contacting the Controller, who remains responsible as data controller.

10. Audit Rights

The Controller may conduct audits or inspections of Neuverk's data processing activities to verify compliance with this DPA, subject to reasonable advance notice of at least 30 days and at the Controller's expense. Neuverk may propose alternative audit mechanisms (such as third-party audit reports or security certifications) as a substitute for on-site audits.

11. Term and Termination

This DPA remains in effect for the duration of the service agreement between the Controller and Neuverk. Upon termination of the service agreement, Neuverk will, at the Controller's election, delete or return all personal data processed under this DPA within 30 days, unless retention is required by applicable law.

12. Governing Law

This DPA is governed by the laws of the Federal Republic of Germany and is subject to the jurisdiction of the competent courts in Munich, Germany, unless superseded by mandatory provisions of applicable EU data protection law.

13. Contact

For enterprise DPA requests, data protection enquiries, or to request a countersigned version of this agreement, please contact:

Neuverk — Data Protection

Munich, Germany

Email: privacy@neuverk.com