A signed copy of the following order processing agreement can be requested via support@finui.de. 

Order processing agreement according to Art. 28 para. 3 of the General Data Protection Regulation (DSGVO)
Finui GmbH

Managing Director: Sebastian Timm

Blumenstr. 47

10243 Berlin

- Contractor -


This Agreement on Commissioned Processing ("Agreement") specifies the obligations of the Contracting Parties regarding data protection and commissioned processing for platform-based Finui Services (Finui Software), which are provided as commissioned processing within the meaning of Art. 28 DSGVO. The Finui Software on which the commissioned processing is based are each governed by the usage agreement ("Usage Agreement"), the service description if applicable and the general terms and conditions of the contractor ("GTC"). It shall apply to all processing of personal data ("Data") in the context of the use of the Finui Software.

§ 1 Subject matter, duration and specification of the commissioned processing

  1. The subject matter and duration of the order and thus of the processing as well as the type and purpose of the processing result in principle from the respective user agreement.  
  1. The purpose of the processing of personal data by the Contractor for the Client results from the respective usage agreement.
  1. The categories of data subjects affected by the processing include:
  1. Customers
  2. Interested parties
  3. Employees
  4. Suppliers
  5. Sales representative
  6. Contact
  7. Applicant
  8. Business partner
  9. Investors
  1. The subject of the processing of personal data are the following types/categories of data:
  1. Personnel master data (surname, first name, date of birth)
  2. Payroll data (social security number, tax number)
  3. Employment contract data 
  4. Personal data of representatives of business partners 
  5. Contact details (e.g. first and last name, address, e-mail address, telephone number)
  6. Correspondences
  7. Identification numbers (e.g. social security number, tax number, tax ID, passport or ID card number, insurance number).
  8. Payment data (e.g. example account number, credit card number, financial institution)
  9. Physical characteristics (e.g. profile photos, application photos)
  10. Awards (e.g. testimonials and certificates)
  11. Information about ethnic and cultural origin
  12. Information on political, religious, and philosophical worldview (e.g., church tax record).
  13. Health data (e.g. medical diagnoses, certificates of incapacity for work)
  14. Information on trade union affiliations

§ 2 Scope of application and responsibility

(1) The Contractor shall process personal data on behalf of the Customer. Within the scope of this Agreement, the Customer shall be solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the transfer of data to the Contractor as well as for the lawfulness of the data processing ("Controller" within the meaning of Art. 4 No. 7 DSGVO).

(2) The scope of services agreed in the User Agreement represents the final instructions of the Customer (with regard to data processing) at the time of the conclusion of this Agreement. In addition, the Customer may issue individual instructions. Such instructions shall be transmitted to the Contractor in an electronic format (text form) and shall also be confirmed by the Contractor in an electronic format (text form).

§ 3 Duties of the Contractor

(1) The Contractor may only process data of data subjects within the scope of the order and the Client's instructions, unless an exceptional case within the meaning of Article 28 (3) a) DSGVO exists. The Contractor shall inform the Client without undue delay if it is of the opinion that an instruction violates applicable laws. The Contractor may suspend the implementation of the instruction until it has been confirmed or amended by the Client.

(2) The Contractor shall organize the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. He shall take technical and organizational measures for the adequate protection of the Customer's data that meet the requirements of the General Data Protection Regulation (Art. 32 DSGVO). The Contractor shall take technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the Processing on a permanent basis. The Customer is aware of these technical and organizational measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed. The Contractor shall provide the Customer with documentation of the measures currently implemented in Annex 1.

(3) The Contractor shall support the Client within the scope of its possibilities in fulfilling the requests and claims of data subjects pursuant to Chapter III of the GDPR and in complying with the obligations set out in Articles 33 to 36 of the GDPR. 

(4) The Contractor warrants that the employees involved in the processing of the Client's data and other persons working for the Contractor are prohibited from processing the data outside the scope of the instruction. Furthermore, the Contractor warrants that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. The confidentiality/confidentiality obligation shall continue to exist after termination of the order.

(5) The Contractor shall inform the Customer without undue delay if it becomes aware of any violations of the protection of personal data of the Customer. The Contractor shall take the necessary measures to secure the data and to mitigate any possible adverse consequences for the persons concerned and shall consult with the Client on this without delay.

(6) The Contractor shall name to the Customer the contact persons for data protection issues arising within the scope of the contract.

(7) The Contractor warrants to comply with its obligations under Article 32(1)(d) of the GDPR to implement a procedure for the regular review of the effectiveness of the technical and organizational measures to ensure the security of the Processing.

(8) The Contractor shall correct or delete the data that is the subject of the contract if the Client instructs it to do so and this is covered by the scope of instructions. If a deletion in compliance with data protection or a corresponding restriction of data processing is not possible, the Contractor shall undertake the destruction of data carriers and other materials in compliance with data protection on the basis of an individual order by the Customer or shall return these data carriers to the Customer, unless already agreed in the contract. 

In special cases to be determined by the client, storage or handover shall take place. Remuneration and protective measures for this are to be agreed separately, unless already agreed in the contract. 

(9) Data carriers and all other materials shall be surrendered at the request of the Customer after the end of the order. The Contractor shall delete all stored data of the Customer no later than three months after the end of the order.

(10) In the event of a claim against the Client by a data subject with regard to any claims under Art. 82 of the GDPR, the Contractor undertakes to support the Client in defending the claim to the extent possible. 

§ 4 Duties of the Customer

(1) The Customer shall inform the Contractor immediately and in full if it discovers errors or irregularities in the order results with regard to data protection provisions.

(2) In the event of a claim against the Client by a data subject with regard to any claims pursuant to Art. 82 of the GDPR, Section 3 (10) shall apply accordingly. 

(3) The Customer shall inform the Contractor of the contact person for data protection issues arising within the scope of the contract.

§ 5 Requests from affected persons

(1) If a data subject approaches the Contractor with requests for correction deletion or information, the Contractor shall refer the data subject to the Client, provided that an assignment to the Client is possible according to the data subject's information. 

(2) The Contractor shall immediately forward the request of the data subject to the Client. 

(3) The Contractor shall support the Client within the scope of its possibilities upon instruction, as far as agreed. 

(4) The Contractor shall not be liable if the request of the data subject is not answered, not answered correctly or not answered in time by the Client.

§ 6 Verification options

(1) The Contractor shall prove to the Customer compliance with the obligations set forth in this Agreement by appropriate means.

(2) If, in individual cases, inspections by the Customer or an inspector commissioned by the Customer are necessary, these shall be carried out during normal business hours without disrupting operations after notification, taking into account a reasonable lead time. The Contractor may make such inspections dependent on prior notification with a reasonable lead time and on the signing of a confidentiality agreement with regard to the data of other customers and the technical and organizational measures that have been set up. If the auditor commissioned by the Client is in a competitive relationship with the Contractor, the Contractor shall have a right of objection against the auditor.

The Contractor may demand remuneration for assistance in carrying out an inspection. The scope of an inspection and the remuneration to be paid for it shall be agreed in writing in advance.

(3) Should a data protection supervisory authority or another sovereign supervisory authority of the Customer carry out an inspection, Paragraph 2 shall apply accordingly in principle. It shall not be necessary to sign a confidentiality agreement if this supervisory authority is subject to professional or statutory confidentiality where a violation is punishable under the German Criminal Code.

§ 7 Subcontractors (other processors)

(1) Subcontractors within the meaning of this Agreement are third parties directly and immediately involved in the provision of the scope of services agreed with the Customer for Finui Software on behalf of the Contractor. Related ancillary services of the Contractor, such as the operation of a customer database, room maintenance, the operation of IT infrastructures, printing and mailing services are not covered by this. The Contractor's obligation to ensure data protection and data security remains unaffected by this and arises as the responsible party within the meaning of Art. 4 No. 7 DSGVO. 

(2) Subcontractors in third countries may only be engaged if the special requirements of Art. 44 et seq. GDPR are met (e.g., adequacy decision of the Commission, standard data protection clauses, approved codes of conduct).

(3) The commissioning of subcontractors for the processing or use of the Client's data is generally only permitted with the Client's approval. 

(4) The Contractor shall provide the Customer with a list of all subcontractors in Annex 2.

(5) Approval for the commissioning of additional contract processors at the time of signing shall be deemed to have been granted on the basis of the documentation from Paragraph 4.

(6) Furthermore, the Customer shall grant the Contractor general permission to involve further subcontractors, taking into account para. 2. The Contractor shall inform the Customer by active notification in text form (e.g. by e-mail) if it intends to involve further subcontractors. The Customer may object to this only if there is an important reason under data protection law. The objection must be declared in text form to the Customer within 14 days of the Contractor's active announcement. In the event of an objection, it shall be at the discretion of the Contractor to provide the service owed without adding the subcontractor in question or to terminate the underlying usage agreement in part or in full if the intended change is not reasonable for the Contractor. 

(7) The Contractor shall contractually obligate each subcontractor in the same manner as the Contractor is obligated to the Client under this Agreement. 

(8) The transfer of personal data of the Customer to the subcontractor and its first activity shall be permitted only after all requirements for subcontracting have been met.

§ 8 Information duties, written form clause, choice of law

(1) Should the Customer's data at the Contractor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Customer thereof without undue delay. The Contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Client as the "responsible person" within the meaning of the General Data Protection Regulation.

(2) Amendments and supplements to this Agreement and all of its components - including any warranties of the Contractor - shall require a written agreement, which may also be in an electronic format (text form), and the express indication that it is an amendment or supplement to these Terms and Conditions. This shall also apply to the waiver of this formal requirement.

(3) In the event of any contradictions, the provisions of this agreement on data protection shall take precedence over the provisions of the user agreement. Should individual parts of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.

(4) German law shall apply.

§ 9 Liability and compensation

The Client and the Contractor shall be liable vis-à-vis data subjects in accordance with the provision set out in Art. 82 GDPR.

Attachment 1

Agreement on commissioned processing pursuant to Art. 28 (3) of the General Data Protection Regulation (DSGVO)


The Controller has taken the following technical and organizational measures to achieve the level of protection for data processing (in particular with regard to confidentiality, integrity, availability and resilience of the systems as well as the regular review of the measures), in accordance with the data protection regulations, in particular Article 32 of the General Data Protection Regulation (GDPR).

This document has been prepared in accordance with the legal requirements and is intended to provide a general description to enable a preliminary check to be made as to whether the data security measures taken are appropriate for the aspects described below. 

Legal requirements

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risk in terms of likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, the following, as appropriate:

  • the pseudonymization and encryption of data;
  • The ability to continuously ensure the confidentiality, integrity, availability, and resilience of processing systems and services;
  • The ability to restore the availability of and access to data in a timely manner in the event of a physical or technical incident;
  • a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

The requirements are mapped and documented in the following categories of TOMs:

  • Overarching, organizational aspects
  • Physical access protection (building/perimeter/sites)
  • Access security (system)
  • Data carrier backup
  • Transmission fuse  
  • Input control
  • Separation control
  • Availability control
  • Order Control.

Scope and application area

The scope of this document is based on the respective license agreement and covers the operational processing and infrastructures in connection with the development and operation of the Finui Software. The Finui Software is operated in the cloud infrastructure of the provider Amazon Web Services (AWS). 

In addition, Finui uses further processors who carry out processing of personal data on behalf of Finui in accordance with instructions on the basis of agreed contracts for commissioned processing (Art. 28 DSGVO). 

For the sake of transparency and clarity, this document includes the description of the technical and organizational measures at the core infrastructure level. Reference is made to the following documents as central evidence for the TOM documentation of these providers:

Amazon Web Services (AWS):


Description of the individual measures

Procedures for regular review, assessment and evaluation / Overarching organizational measures

Data Protection Management System (DSMS)

Guidelines and directives for the implementation of data protection requirements are available and approved within the company.


Commitment to data secrecy

The employed and freelance staff, external service providers or subcontractors are bound to data secrecy.


Risk management in the data center (Security Operations Center)

All data center sites have implemented risk management systems and site-specific security operations centers. 


Access control (physical) 

Access control and monitoring

Access to data processing facilities is organizationally regulated and technically secured or controlled (e.g., with fences, gatekeepers, electronic access controls).


Video surveillance

Physical access points to server rooms are monitored by video cameras. Recordings are retained in accordance with regulatory and compliance requirements.


Alarm systems

The rooms with data processing equipment are monitored outside the closing hours by alarm systems with connection to police/fire department/guard service (24/7) /central office/doorman.


Access control (system)

Strong authentication (management console) 

Access to the host's management console is secured with multi-factor authentication.


Identification and authentication process (user)

Use of passwords and defined password rules.


Roles and rights concept

Existence of rules and procedures for creating, modifying, deleting authorization profiles or user roles.


Encryption of data carriers and/or databases   

Dormant data
Data carriers are encrypted according to current industry standards (here: AES-256).


Host-based attack detection system (HIDS)

Every server system is equipped with a host-based attack detection system. This monitors at least parameters such as conspicuous system log entries, signatures of known rootkits and Trojans, conspicuities in the device file system, or bruteforce attacks.


Logging data access

All read, input, change and delete transactions are logged (user ID, transaction details) and archived in an audit-proof manner for at least 6 months


Access control (hardware, terminals)


Accesses that allow access to personal data are always made via encrypted protocols: SSH, SSL/ TLS, HTTPS or comparable protocols.


Identification and authentication process (user)

Access protection to all data processing systems through user authentication


Roles and rights concept

Roles and permissions are assigned on a per-user basis and reviewed regularly. 


Secure passwords

Implementation of complex passwords 
- Minimum length 8 characters
- Defined number of 3 failed attempts leads to access blocking. 


Inactivity control 

End devices are locked 5 minutes after last entry and can only be unlocked again with user authentication data.  


Transfer control 

Transport encryption ("Data in Transit")

Ensuring the integrity of data during transport by calculating checksums.

Data transfers between clients and servers are encrypted.


Prohibition of disclosure to unauthorized third parties

A transfer of personal data, which takes place on behalf of the client, may only take place to the extent of the instructions and as far as this is necessary for the provision of the contractual services for the client. In particular, the disclosure of personal data from the order to unauthorized third parties, e.g. by storage in another cloud storage, is not permitted.


Input control

Logging of system activities within the admin and customer system as well as evaluation

Significant system activities are logged (min. user ID, rights according to role concept, IP address, system components or resources, type of activities performed, and time stamp) and currently retained for up to 30 days. This includes in particular the entry, modification and deletion of data, users and authorizations, as well as changes to system settings. Upon request and/or in the event of concrete suspicion, a corresponding evaluation of the logs can be carried out.


Separation requirement

Client separation 

The separate processing and storage of data from different clients is ensured by logical client separation based on a multi-tenancy architecture. Data is assigned and identified by assigning a unique identifier to each client (e.g., customer number/company ID).


Separation of functions

Test/development and productive environments are separated from each other. Testing and development takes place with completely anonymized test data.


Network separation

Depending on the technical possibilities, the networks are separated physically or by means of virtual networks.

 The following networks are used permanently: operating environment ("production"), test environment ("staging"), office IT employees, office IT guests. Additional networks are created as required.


Availability control 

Data backup and recovery concept

To ensure adequate availability, a backup concept for the database with the client's data stored on it and the storage medium with corresponding stored documents has been implemented in accordance with the state of the art.

Regular full restore tests are performed to ensure recoverability in the event of an emergency/disaster.


IT emergency / business continuity planning in the data center

The data center has business continuity management to maintain and restore operations during emergencies.


Georedundant sites

To ensure geo-redundancy in the event of an unforeseen event, such as a natural disaster, it is ensured that corresponding specifications of spatial separation are guaranteed with regard to the server infrastructure of the productive data and backups. This can be ensured by using different data centers at a sufficient distance or data centers of different availability zones


Capacity management

A capacity management system including monitoring and automatic notification of the responsible employees at Finui in the event of capacity bottlenecks has been implemented.


Warning systems for monitoring the accessibility and state of the server systems

An alert system is in place to monitor the accessibility and status of the server systems. In the event of failures, the infrastructure department is automatically notified in order to take immediate action to rectify the problem.


Incident Response Management")

A concept and documented procedures exist for dealing with disruptions and security-relevant events ("incidents"). This includes, in particular, the planning and preparation of the response to incidents, procedures for monitoring, detecting and analyzing security-relevant events, and the definition of corresponding responsibilities and reporting channels in the event of a breach of the protection of personal data within the framework of the legal requirements.


Data center availability

Other measures to ensure availability in the data centers are in use, such as: automatic fire detection and suppression, smoke sensors, temperature control in the entire data center environment, redundant power supply systems, uninterruptible power supply (UPS), generators that can supply the entire facility with emergency power. Preventive maintenance is performed to ensure the continued operation of the facilities.


Order control 

Service provider control

Involved service providers are reviewed on a risk basis before the start of the outsourced activities and during the provision of services.



Regular internal audits on data privacy and information security are carried out while ensuring the independence of the auditor (e.g., from another area or externally).


Enclosure 2

Agreement on commissioned processing pursuant to Art. 28 (3) of the General Data Protection Regulation (DSGVO)

Subcontracting relationships

Amazon Web Services Inc

410 Terry Avenue NorthSeattle, WA 98109, USA

Cloud infrastructure, hosting of the servers to run the software, exclusively European server locations.

Klippa App B.V.

Lübeckweg 29723 HE GroningenThe Netherlands

Automatic text recognition of invoices 

Microsoft Ireland Operations Limited

The Atrium Building
Block B, Carmanhall Road
Sandyford Business Estate
Dublin 18, Ireland

E-mail system, data storage, exclusively European server locations

Sendinblue GmbH

Köpenicker Straße 126, 10179 Berlin

Sending transactional emails

Okta UK Limited

20 Farringdon RoadECIM 3HE, United Kingdom

System access and identification management

fedoco Development

Karwendelring 2586956 Schongau, Deutschland

Tax office interface for sales tax reporting