Data Processing Agreement (DPA)
Version: 2026-07-08
In the event of any conflict between the German and English versions of this Data Processing Agreement, the German version shall prevail.
1. Subject and duration
This Data Processing Agreement ("DPA") pursuant to Art. 28 GDPR supplements the Terms of Service ("Terms") between the controller ("you", "Controller") and Nuqo GmbH, Körnerstrasse 10, 13585 Berlin ("Nuqo", "Processor").
The DPA applies for the duration of the use of the Service pursuant to the Terms.
2. Nature and purpose of processing
Nuqo processes personal data on behalf of the Controller for the provision of the services described in the Terms, in particular:
- Extraction and structuring of bills of materials and specifications from uploaded documents
- AI-powered analysis of technical documents
- Storage and management of quote and inquiry data
- User account management and authentication
3. Categories of data subjects
- Employees and agents of the Controller (user accounts)
- Contact persons in uploaded inquiry documents (contact details in RFQs, BOMs, drawings)
4. Categories of personal data
- Account data: name, email address, phone number, login information
- Organisation data: company name, organisation settings
- Document data: personal data contained in uploaded files (e.g. contact persons, contact details)
- Usage data: IP address, session data, event logs
5. Obligations of the Processor
Nuqo undertakes to:
- Process personal data only on documented instructions from the Controller
- Ensure that persons authorised to process have committed to confidentiality
- Implement appropriate technical and organisational measures pursuant to Art. 32 GDPR
- Assist the Controller in fulfilling data subject rights
- Notify the Controller without undue delay of any personal data breach
- Delete or return all personal data upon termination of the engagement
6. Sub-processors
The Controller grants general authorisation for the engagement of sub-processors. Nuqo will inform the Controller of any intended changes and provide an opportunity to object.
Current sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting | Germany |
| Neon Inc. | Database hosting (PostgreSQL) | EU (aws-eu-central-1) |
| Cloudflare Inc. | File storage (R2) | EU |
| Mailgun Technologies Inc. | Transactional emails | EU endpoint |
| Stripe Payments Europe, Ltd. | Payment processing (subscription billing) | EU / USA (SCC) |
| Microsoft (Azure OpenAI Service) | AI document processing | EU (Azure EU Data Zone) |
| Google (Gemini via Vertex AI) | AI document processing | EU (Vertex AI, EU multi-region) |
| PostHog Inc. | Usage analytics | EU |
| GlitchTip (eu.glitchtip.com) | Error monitoring | EU |
Scope of Stripe processing:Stripe is used solely for invoicing and payment processing and receives only the customer's billing contact details and payment/bank data. Stripe receives nouploaded documents, bills of materials, drawings, quote content, calculation data, or the customer's own end-customer data — such data is never passed to Stripe.
7. Technical and organisational measures
Nuqo implements the following measures to protect personal data:
- Encryption of data in transit using TLS/SSL
- Password hashing using Argon2id
- Access control through role-based permissions
- Hosting on servers in Germany (Hetzner)
- Regular security updates and monitoring
- Secure session management (HttpOnly cookies, SameSite, Secure flag)
8. International transfers
The AI-based processing of uploaded documents (BOMs, drawings, specifications) takes place exclusively via EU endpoints— the Azure EU Data Zone and Vertex AI in the EU multi-region. This content does not leave the EU. Microsoft's and Google Cloud's data protection terms apply respectively; customer data is not used to train AI models.
A transfer to third countries occurs solely in connection with payment processing via Stripe, which covers billing data exclusively and no document content. It is made on the basis of an EU Commission adequacy decision, standard contractual clauses (SCCs), or other recognised safeguards under Art. 44 ff. GDPR.
9. Audit rights
The Controller has the right to verify compliance with this DPA through appropriate measures, including audits. Nuqo will provide all necessary information and assist with inspections.
10. Contact
For questions about this DPA, please contact: [email protected]