Data Processing Agreement - CompanyPlanner

1. Purpose

This Data Processing Agreement governs the processing of personal data carried out by the Processor on behalf of the Controller as part of the use of the Companyplanner SaaS platform ("the Service").

2. Subject Matter of Processing

The Processor provides a digital platform for planning, scheduling, and business management, where the Controller may upload and manage personal data related to its own customers and contacts.

The Processor processes this data solely on behalf of the Controller.

3. Duration

This DPA remains valid as long as the Controller maintains an active account with the Processor and until all personal data has been deleted or returned.

4. Nature and Purpose of Processing

Nature: Collection, storage, transmission, analysis, and deletion of personal data
Purpose: To provide the functionality of the Companyplanner platform

5. Categories of Data Subjects

May include, but are not limited to:

Controller's customers
Controller's employees
End-users of the Controller's services

6. Categories of Personal Data

May include:

Names, contact details, addresses
Job scheduling and task information
Payment or invoicing details
Any custom data the Controller enters into the system

Note: No special categories of data (e.g. health, religion) should be entered unless explicitly agreed.

7. Obligations of the Processor

The Processor agrees to:

Process data only on documented instructions from the Controller
Ensure confidentiality of all persons authorized to process the data
Implement appropriate technical and organizational security measures (see Appendix A)
Assist the Controller in fulfilling data subjects' rights (access, erasure, etc.)
Assist with data protection impact assessments (DPIA) if required
Delete or return all personal data upon termination of the service
Allow audits or inspections (upon reasonable notice)

8. Subprocessors

The Processor may use subprocessors to provide parts of the service (e.g. hosting, email delivery, analytics). A current list is available upon request.

The Processor shall ensure subprocessors comply with GDPR obligations under this DPA.

9. International Data Transfers

If personal data is transferred outside the EU/EEA, the Processor ensures adequate safeguards are in place, such as:

Standard Contractual Clauses (SCCs)
Data processing agreements with equivalent protection

10. Obligations of the Controller

The Controller agrees to:

Ensure it has a legal basis to collect and process personal data
Provide lawful instructions to the Processor
Inform data subjects as required under GDPR
Maintain appropriate security on its own devices and accounts

11. Liability

Each party is responsible for its own compliance with applicable data protection laws. The Processor's liability is limited as set out in the main Terms of Service.

12. Termination

Upon termination of the agreement, the Processor will delete or return all personal data, unless legally required to retain it.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of Denmark. Disputes shall be resolved by the courts of Copenhagen.

14. Contact

For privacy-related matters, contact:
legal@vinduespudserskolen.dk

Appendix A – Security Measures

The Processor implements, among others:

SSL/TLS encryption in transit
Encrypted data storage where applicable
Access control and authentication for internal systems
Regular software updates and security patches
Monitoring for unauthorized access and anomalies

Data Processing Agreement (DPA)