Data Processing Agreement (DPA)
pursuant to Art. 28 GDPR
Last updated: March 2026
Parties
Processor: Elektronikhandel Michael Graef, Breitscheidstraße 84, 70176 Stuttgart (“LABELfleet”)
Controller: The user who has registered a LABELfleet account and uses the platform for processing personal data of their end customers.
This DPA supplements the General Terms and Conditions and becomes effective upon registration.
1. Subject Matter & Duration
Subject: The Processor processes personal data on behalf of the Controller as part of providing the LABELfleet SaaS platform (shipping label creation, invoicing, order management, return handling, automated buyer communication).
Duration: The processing begins upon registration and ends upon deletion of the account. After contract termination, data will be deleted within 30 days, subject to legal retention periods.
2. Type of Personal Data
The following categories of personal data are processed:
- Recipient addresses: Name, street, postal code, city, country
- Contact data: Email addresses of buyers/recipients, phone numbers (if provided)
- Order data: Order IDs, item descriptions, prices, marketplace usernames
- Shipping data: Tracking numbers, shipment status, return shipment data
- Invoice data: Invoice numbers, amounts, VAT IDs
- Communication data: Buyer messages (when AI agent is active)
3. Categories of Data Subjects
- End customers (buyers) of the Controller
- Recipients of shipments
- Communication partners of the Controller on marketplaces
4. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions of the Controller (Art. 28 para. 3 lit. a GDPR)
- Ensure that persons authorized to process personal data have committed themselves to confidentiality (Art. 28 para. 3 lit. b GDPR)
- Implement appropriate technical and organizational measures (Art. 32 GDPR, see Section 6)
- Assist the Controller with data subject requests (Art. 28 para. 3 lit. e GDPR)
- Assist the Controller with DPIA and prior consultation obligations (Art. 28 para. 3 lit. f GDPR)
- Delete or return all personal data after the end of the contract (Art. 28 para. 3 lit. g GDPR)
- Make available all information necessary to demonstrate compliance (Art. 28 para. 3 lit. h GDPR)
- Notify the Controller without undue delay of any personal data breach (Art. 33 GDPR)
5. Instructions
The Processor processes personal data exclusively in accordance with the Controller’s instructions. Instructions are given through the use of the platform (configuration of settings, API calls, manual actions). Additional instructions must be given in writing (email to datenschutz@labelfleet.com).
If the Processor believes that an instruction violates GDPR or other data protection provisions, it shall notify the Controller immediately.
6. Technical & Organizational Measures (TOM)
The Processor implements the following measures pursuant to Art. 32 GDPR:
Encryption
- TLS 1.2+ for all data in transit (HTTPS enforced)
- Fernet encryption (AES-128-CBC) for sensitive credentials (DHL passwords, IMAP/SMTP credentials, API keys)
- Passwords hashed with bcrypt (cost factor 12)
Access Control
- Multi-tenant data isolation (tenant_id on every database query)
- Two-factor authentication (TOTP) and passkey support
- API key authentication with per-tenant scoping
- SSH key-only server access (no password authentication)
Availability & Backup
- Daily automated database backups
- Docker-based deployment with automated CI/CD pipeline
- Server monitoring and alerting via Ops Server
7. Sub-Processors
The Controller grants general authorization for the engagement of the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting (VPS) | Germany (Nuremberg) |
| DHL Paket GmbH | Shipping label creation & tracking | Germany (Bonn) |
| Anthropic PBC | AI-powered message generation (when AI agent is active) | USA (EU-US Data Privacy Framework) |
| Resend Inc. | Transactional email delivery | USA (EU-US Data Privacy Framework) |
The Processor will inform the Controller of any intended changes to sub-processors with at least 14 days’ notice. The Controller may object within this period; if no agreement is reached, the Controller may terminate the contract.
8. Deletion after Contract End
Upon termination of the contract, the Processor shall:
- Provide the Controller with the option to export all data (JSON export via account settings) for 30 days after termination
- Delete all personal data after the 30-day export period, unless legal retention obligations require further storage
- Confirm deletion in writing upon request
9. Audit Rights
The Controller has the right to verify the Processor’s compliance with this DPA. The Processor shall:
- Provide all information necessary to demonstrate compliance with Art. 28 GDPR obligations
- Allow and contribute to audits and inspections, including by an independent auditor mandated by the Controller
- Respond to written inquiries within 14 business days
Audits shall be conducted with reasonable notice (at least 14 days) and during normal business hours. The Controller bears the cost of audits unless the audit reveals a material breach.
10. Contact
For data protection inquiries and DPA-related matters:
Elektronikhandel Michael Graef
Breitscheidstraße 84, 70176 Stuttgart
E-Mail: datenschutz@labelfleet.com