Data Processing Agreement (DPA)

Version: 2026-04-07

In the event of any conflict between the German and English versions of this Data Processing Agreement, the German version shall prevail.

1. Subject and duration

This Data Processing Agreement ("DPA") pursuant to Art. 28 GDPR supplements the Terms of Service ("Terms") between the controller ("you", "Controller") and Nuqo GmbH, Körnerstrasse 10, 13585 Berlin ("Nuqo", "Processor").

The DPA applies for the duration of the use of the Service pursuant to the Terms.

2. Nature and purpose of processing

Nuqo processes personal data on behalf of the Controller for the provision of the services described in the Terms, in particular:

Extraction and structuring of bills of materials and specifications from uploaded documents
AI-powered analysis of technical documents
Storage and management of quote and inquiry data
User account management and authentication

3. Categories of data subjects

Employees and agents of the Controller (user accounts)
Contact persons in uploaded inquiry documents (contact details in RFQs, BOMs, drawings)

4. Categories of personal data

Account data: name, email address, phone number, login information
Organisation data: company name, organisation settings
Document data: personal data contained in uploaded files (e.g. contact persons, contact details)
Usage data: IP address, session data, event logs

5. Obligations of the Processor

Nuqo undertakes to:

Process personal data only on documented instructions from the Controller
Ensure that persons authorised to process have committed to confidentiality
Implement appropriate technical and organisational measures pursuant to Art. 32 GDPR
Assist the Controller in fulfilling data subject rights
Notify the Controller without undue delay of any personal data breach
Delete or return all personal data upon termination of the engagement

6. Sub-processors

The Controller grants general authorisation for the engagement of sub-processors. Nuqo will inform the Controller of any intended changes and provide an opportunity to object.

Current sub-processors:

Provider	Purpose	Location
Hetzner Online GmbH	Server hosting	Germany
Neon Inc.	Database hosting (PostgreSQL)	EU (aws-eu-central-1)
Cloudflare Inc.	File storage (R2)	EU
Mailgun Technologies Inc.	Transactional emails	EU endpoint
OpenAI, LLC / Microsoft (Azure OpenAI)	AI document processing	USA / EU (Azure)
Google LLC (Gemini)	AI document processing	USA / EU
PostHog Inc.	Usage analytics	EU
GlitchTip (self-hosted)	Error monitoring	Germany (Hetzner)

7. Technical and organisational measures

Nuqo implements the following measures to protect personal data:

Encryption of data in transit using TLS/SSL
Password hashing using Argon2id
Access control through role-based permissions
Hosting on servers in Germany (Hetzner)
Regular security updates and monitoring
Secure session management (HttpOnly cookies, SameSite, Secure flag)

8. International transfers

Where sub-processors are located in third countries (e.g. the USA), transfers are made on the basis of an EU Commission adequacy decision, standard contractual clauses (SCCs), or other recognised safeguards under Art. 44 ff. GDPR.

When using Azure OpenAI, Microsoft's data protection terms apply. Customer data is not used to train AI models.

9. Audit rights

The Controller has the right to verify compliance with this DPA through appropriate measures, including audits. Nuqo will provide all necessary information and assist with inspections.

10. Contact

For questions about this DPA, please contact: info@nuqo.io