This Data Processing Agreement (“DPA”) supplements the obligations of the parties under Art. 28 GDPR in the context of the Claimscan service. It forms part of the main contract (“Main Agreement” — the terms of service at /agb).
A printable copy of this agreement is available at any time via your browser's print dialog (“File → Print → Save as PDF”). A counter-signed version is available on request at security@claimscan.io.
1. Parties
Processor(“Claimscan”): Piyal Ranasinghe, Querstraße 6, 90489 Nuremberg, Germany. VAT-ID: DE343759653.
Controller(“Customer”): the legal or natural person using the Claimscan service under their account. Identity is established via the company details on file.
2. Subject Matter and Duration
Claimscan processes personal data exclusively on behalf of and on documented instructions from the Customer for the purpose of forensic image analysis (metadata, pixel forensics, optional AI detection) and the provision of case, report, and integration features under the subscribed plan. Processing begins with the Main Agreement and ends with its termination.
3. Nature, Scope, and Purpose of Processing
- Types of data: uploaded images including embedded EXIF/metadata (device, timestamps, GPS, software signatures), optional case context (order reference, SKU, claim description, shipping address) provided by the Customer.
- Categories of data subjects:Customer's end-customers (e.g. e-commerce returns claimants), Customer's staff (upload operators), and third parties depicted in the images.
- Purpose: detection of manipulated or AI-generated images in returns and claims processes; provision of forensic reports, marketplace dispute texts, and API/webhook signals.
- Processing locations:primary processing in Germany (Hetzner Online GmbH, Nuremberg). Optional AI stages see § 8.
4. Controller's Right to Instruct
Claimscan processes personal data only on documented instructions from the Customer. The Main Agreement together with this DPA constitutes the baseline instructions. Additional instructions must be sent in text form to security@claimscan.io. If Claimscan believes an instruction violates data protection law, it will notify the Customer immediately and suspend execution until confirmation or amendment.
5. Technical and Organizational Measures (TOM)
Claimscan implements appropriate technical and organizational measures pursuant to Art. 32 GDPR, including:
- Physical access: Hetzner data center in Germany with certified data-center security to recognized standards; access limited to authorized personnel.
- System access: SSH key-only (password auth disabled), UFW firewall, Fail2ban/CrowdSec, MFA for admin accounts.
- Data access: tenant isolation at the DB layer (every query scoped by
tenant_id), argon2id password hashing, JWT with HMAC signatures. - Transfer control:TLS 1.2+ in transit (Let's Encrypt), encrypted block devices at rest; no unencrypted storage of personal data.
- Input control: audit log for public API access (ULID trace IDs), webhook delivery log, PM2/nginx access logs.
- Availability: daily automated backups (30-day retention), uptime monitoring, incident email alerts.
- Separation: logical tenant separation in Postgres and MinIO with per-tenant S3 prefixes.
- Pseudonymization: once the retention window expires, image files are deleted; only a non-reconstructable perceptual hash remains for duplicate detection.
Changes to the TOMs are documented. The current TOM register is available on request.
6. Retention and Deletion
Plan-based image retention (30 / 90 / 180 / 365 days) is enforced automatically by a daily retention job. After expiry, images are deleted from object storage. Forensic findings, scores and the perceptual hash are retained in pseudonymised form, without any ability to reconstruct the original image files. This data is used for detecting reused fraud images (see Privacy Policy section 3a) and for internal quality assurance of detection algorithms. Upon termination of the Main Agreement the Customer chooses: (a) full deletion of all personal data within 30 days, or (b) return via export (JSON + PDFs). Default (no response) is deletion.
7. Assistance to the Controller
Claimscan supports the Customer in complying with Art. 32–36 GDPR by:
- providing processing information (Art. 15) and data export on request (Art. 20);
- notifying the Customer of a personal data breach within 72 hours of becoming aware, by email to the account address on file;
- supporting data protection impact assessments (Art. 35) on written request against reasonable compensation where the effort exceeds standard support.
8. Sub-processors
The Customer grants Claimscan general authorization to engage the following sub-processors:
| Sub-processor | Location | Purpose |
|---|---|---|
| Hetzner Online GmbH | Germany | Server hosting, database, object storage |
| Vercel Inc. | USA (DPF + SCC) | Frontend hosting |
| Anthropic PBC | USA (SCC) | Optional vision AI (pipeline stage 6, ~15% of analyses; can be disabled in account settings) |
| All-Inkl.com (Neue Medien Münnich) | Germany | Transactional email |
Changes to the sub-processor list will be communicated to the Customer at least 30 days in advance by email. The Customer may object for important reasons; if the objection prevents Claimscan from providing the service contractually, both parties have an extraordinary termination right.
9. International Transfers
Transfers to Anthropic PBC and Vercel Inc. (USA) rely on EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914) and — where certified — the EU-US Data Privacy Framework. The Customer can disable the optional AI stage; in that case image content remains exclusively in Germany.
10. Data Subject Rights
Claimscan assists the Customer in handling data subject requests. If a data subject contacts Claimscan directly, we forward the request to the Customer immediately where attribution to the account is unambiguous.
11. Evidence and Audit
On request, Claimscan provides all information necessary to demonstrate compliance with Art. 28 GDPR. The Customer may audit by prior arrangement and while respecting Claimscan's operations, either directly or through an independent auditor (NDA required). Costs are borne by the Customer; where material non-compliance is found, Claimscan bears reasonable audit costs.
12. Liability
The liability provisions of the Main Agreement apply to this DPA. Art. 82 GDPR remains unaffected.
13. Final Provisions
This DPA enters into force upon conclusion of the Main Agreement and ends with its termination. Should individual provisions be invalid, this does not affect the remaining provisions. Venue: Nuremberg, where the Customer is a merchant, a legal entity under public law, or a public-law special fund. Governing law: German law, excluding the UN Convention on Contracts for the International Sale of Goods.