Data Processing Agreement / AVV
Draft outline for B2B customers. A final AVV/DPA must be prepared or reviewed by a qualified legal professional before it is offered for signature.
Purpose and subject matter
This DPA/AVV outline covers processing required to provide the DB-Backup Manager website, customer portal, subscription management, license activation, support, and administrative license services.
Categories of data
- Customer account data: email address, company name, account identifiers, and support contact details.
- Subscription and billing metadata: selected plan, subscription status, payment provider reference IDs, renewal status, and cancellation state.
- License and activation metadata: activation key, plan limits, status, expiry, activation count, hashed machine identifier, app version, and last-seen timestamp.
- Security and audit metadata: login events, failed login attempts, license changes, admin actions, hashed IP metadata, and user agent where required for security.
Data not processed by the licensing website
The license portal is designed not to receive database contents, backup files, SQL dump files, database passwords, SMTP passwords, cloud refresh tokens, internal database names, internal server names, or customer backup destination paths from the desktop backup application.
Technical and organizational measures
Access control
Administrative license features are role restricted and should be logged. Admin accounts should use strong passwords and limited personnel access.
Transport security
The customer portal and license API should be served only over HTTPS/TLS. API secrets must be stored as platform secrets, not in source code.
Data minimization
Only account, subscription, license, activation, and support metadata required to operate the service should be processed.
Local backup security
The desktop application keeps backup files and database credentials local to the customer environment unless the customer configures a storage destination.
Sub-processors
List production sub-processors before launch, for example website hosting, database hosting, payment provider, transactional email provider, and support systems. Include processing purpose, country/region, and transfer safeguards where required.
Assistance and incident handling
Define support channels, breach notification procedures, response times, audit cooperation, and how customer deletion/export requests are handled.
Deletion and return
After contract termination, account/license data should be deleted or anonymized according to legal retention obligations and the customer's documented request. Billing records may be retained where statutory retention applies.