Data Processing Agreement

Last updated: May 2026

This template Data Processing Agreement ("DPA") is concluded between the Customer ("Controller") and DexterBee GmbH, Industriestraße 13, 63755 Alzenau, Germany ("Processor", "UIWeaver") and governs the processing of personal data by UIWeaver on behalf of the Customer in accordance with Art. 28 of Regulation (EU) 2016/679 (GDPR). It supplements the main agreement (Terms of Service, Statement of Work).

A version of this template DPA signed by the Processor will be provided on request to privacy@uiweaver.io.

§ 1 Subject matter and duration

(1) The subject matter of this DPA is the processing of personal data by UIWeaver in connection with the provision of the agreed services (AI-powered website creation, hosting, maintenance, transactional communication).

(2) This DPA begins upon conclusion of the main contract and ends automatically upon its termination. § 9 (Termination) remains unaffected.

§ 2 Nature and purpose of processing

UIWeaver processes personal data solely for the following purposes:

  • Provision and operation of the website platform;
  • Generation of AI-powered design suggestions based on end-user input;
  • Hosting of created websites (if ordered);
  • Sending transactional emails to end-users of the Controller;
  • Technical maintenance, backups and security updates.

§ 3 Types of personal data

  • Master data (name, company, address, VAT ID);
  • Contact data (email, phone number);
  • Usage data (IP address — hashed within 24 hours, browser information, timestamps);
  • Content data (business description and configuration provided by the end-user);
  • Contract and transaction data (order number, subscription status — excluding full payment data).

§ 4 Categories of data subjects

  • End-users and visitors of websites operated by the Controller;
  • Business partners and prospects of the Controller;
  • Employees and agents of the Controller who administer the system.

§ 5 Obligations of the Processor

UIWeaver undertakes to:

  • process personal data only on documented instructions of the Controller (Art. 28(3)(a) GDPR), including with regard to transfers to third countries, unless required to do so by law;
  • ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR);
  • take all measures required pursuant to Art. 32 GDPR (see § 7);
  • respect the conditions for engaging another processor pursuant to § 6;
  • assist the Controller in fulfilling its obligations under Art. 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor (Art. 28(3)(f) GDPR);
  • make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections (Art. 28(3)(h) GDPR);
  • immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other data protection provisions.

§ 6 Engagement of further processors (sub-processors)

(1) By concluding this DPA, the Controller grants a general written authorisation pursuant to Art. 28(2) GDPR for the engagement of further processors to the necessary extent. UIWeaver will inform the Controller of any intended changes concerning the addition or replacement of further processors with a notice period of four weeks and grant a right of objection.

(2) Current sub-processors:

  • Stripe Payments Europe, Ltd., Dublin, Ireland — payment processing.
  • Supabase, Inc., Singapore (data hosted in AWS eu-central-1, Frankfurt) — database.
  • Vercel Inc., Covina, CA, USA — hosting and edge functions.
  • Resend, Inc., San Francisco, CA, USA — transactional email delivery.
  • Google LLC, Mountain View, CA, USA — Gemini API for design generation.
  • Google Ireland Ltd., Dublin, Ireland — Google Analytics 4 (consent only).
  • Sanity, Inc., San Francisco, CA, USA — headless CMS (optional).

(3) UIWeaver ensures that the obligations under Art. 28 GDPR are contractually agreed in equivalent form with each sub-processor.

§ 7 Technical and organisational measures (Art. 32 GDPR)

UIWeaver implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • encryption in transit (TLS 1.3) and at rest (AES-256);
  • role-based access controls and multi-factor authentication for administrative accounts;
  • logging of security-relevant events and automated anomaly detection;
  • regular backups with documented recovery tests;
  • pseudonymisation (e.g. hashing of IP addresses);
  • procedures for regularly testing the effectiveness of the measures.

A detailed list of technical and organisational measures is available on request as Annex 1 to this DPA.

§ 8 Assistance with data subject rights

UIWeaver assists the Controller in fulfilling requests of data subjects pursuant to Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). Should a data subject contact UIWeaver directly, UIWeaver will forward the request to the Controller without undue delay.

§ 9 Notification of personal data breaches (Art. 33 GDPR)

UIWeaver shall notify the Controller of any personal data breach of which it becomes aware without undue delay, generally within 24 hours of becoming aware of it. The notification shall include a description of the breach, the categories of data concerned, the likely consequences and the measures already taken.

§ 10 Audit and inspection rights

(1) The Controller has the right, prior to the commencement of processing and thereafter at appropriate intervals, to verify compliance with the technical and organisational measures taken (Art. 28(3)(h) GDPR).

(2) Audits may take the form of inspection of self-assessments, certifications (e.g. SOC 2, ISO 27001) or audit reports of independent third parties. On-site audits shall be coordinated with 30 days' prior notice and limited to the necessary extent.

§ 11 International data transfers

Where personal data is processed outside the EU/EEA in the course of this DPA, UIWeaver bases the transfer primarily on the adequacy decision for the EU-US Data Privacy Framework (C(2023) 4745) and, additionally, on EU Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914. Additional technical and organisational measures (encryption, access controls) are implemented.

§ 12 Termination, deletion of data

Upon termination of the main contract, UIWeaver shall — at the choice of the Controller — delete or return all personal data and delete existing copies, unless retention is required by law (in particular §§ 147 AO, 257 HGB). Return or deletion shall be carried out within 30 days of termination; the deletion process is documented on request.

§ 13 Liability

Liability of the parties is governed by Art. 82 GDPR and the provisions of the main contract. In the internal relationship between the parties, the limitation of liability agreed in the main contract applies accordingly, to the extent permitted by law.

§ 14 Final provisions

(1) In the event of any conflict between this DPA and the main contract, the provisions of this DPA shall prevail with regard to the protection of personal data.

(2) Should individual provisions be or become invalid, the validity of the remaining provisions shall not be affected.

(3) Governing law: the law of the Federal Republic of Germany. Place of jurisdiction: Aschaffenburg.

Contact

DPA inquiries: privacy@uiweaver.io
Provider information: Legal notice.