Trust Center
Everything you need to work with us
Aldor processes health data on your behalf. This is the one place for what the GDPR requires for that: the data processing agreement (AVV), our technical measures, and the full list of our subprocessors.
Four areas
What you'll find here
-
01
Security
Encryption, tenant isolation, and hosting exclusively in Germany.
View security -
02
Privacy
How we protect personal data and honour data-subject rights.
Privacy policy -
03
Agreements
The AVV (Art. 28 GDPR) and technical measures to download.
View documents -
04
Subprocessors
The full, always-current list of the providers we engage.
View list
What Aldor meets
-
Checked
GDPR compliant
Processing under Art. 6, DPA under Art. 28. Full TOMs.
-
Live
Hetzner Germany
Hosting in Nuremberg + Falkenstein. No US cloud, EU-only.
-
Recognised
§ 45a SGB XI
Recognition-audit reports on demand. 10-year retention.
-
Certified
ISO 27001 (Hetzner)
Data centres ISO-27001 certified. Aldor itself built to the same standard.
-
Active
AES-256 before the DB
Active Record Encryption per column. Even DB admins see ciphertext.
-
Default
Postgres Row-Level Security
Tenant isolation in the DB, not in code. No filter to forget.
Documents
Agreements and records
Download the current versions. You conclude the AVV with a few clicks after signing in.
- Data Processing Agreement (Auftragsverarbeitungsvertrag) Template under Art. 28 GDPR including technical and organisational measures. Version 1.0 · As of July 01, 2026 Download
- General Terms and Conditions (AGB) The general terms and conditions for using Aldor. Version 1.0 · As of July 01, 2026 Download
- Technical and organisational measures (TOM) The safeguards under Art. 32 GDPR at a glance. Version 1.0 · As of July 01, 2026 Download
- Privacy policy How we process personal data on the website and in the application. Version 1.0 · As of July 01, 2026 Download
Subprocessors
Who we engage
| Provider | Purpose | Processing location | Data categories |
|---|---|---|---|
| Hetzner Online GmbH | Purpose Hosting, Datenbank, Object Storage & E-Mail-Versand (EU-Rechenzentrum) | Processing location Deutschland (Nürnberg, Falkenstein) | Data categories Stammdaten, Gesundheitsdaten (Art. 9), Abrechnungsdaten, Dokumente, Kommunikationsdaten |
| finAPI GmbH | Purpose Kontoinformationsdienst (Bankabgleich für Abrechnung) | Processing location Deutschland (München) | Data categories Bankverbindung, Zahlungsdaten |
| Stripe Payments Europe, Ltd. | Purpose Zahlungsabwicklung des Aldor-Abonnements | Processing location Irland | Data categories Rechnungsdaten, Zahlungsdaten |
| Google Cloud EMEA Ltd. (Vertex AI) | Purpose KI-Funktionen (Lotte-Assistent, Dokumentenerkennung); keine Speicherung der übergebenen Inhalte | Processing location EU (Frankfurt) | Data categories Zur KI-Verarbeitung übergebene Inhalte (können Gesundheitsdaten umfassen) |
| Google Ireland Limited (Google Maps Platform) | Purpose Adress-Autovervollständigung, Geokodierung & Routenberechnung | Processing location EU (Irland) | Data categories Adressen, Koordinaten |
| Apple Distribution International Ltd. (APNs) | Purpose Push-Benachrichtigungen an iOS-Geräte | Processing location Irland | Data categories Push-Token, Benachrichtigungstexte |
| Twilio Ireland Limited | Purpose SMS-Versand (optional, je Organisation aktivierbar) | Processing location Irland | Data categories Mobilfunknummern, Nachrichteninhalte |
This list is kept continuously up to date.