This Data Processing Agreement ("DPA") forms part of the Terms of Service between PlanCoo ("Processor") and the business customer ("Controller") using our services.

1. Definitions

Terms used in this DPA have the meanings given in the GDPR (General Data Protection Regulation).

2. Processing Details

2.1 Subject Matter

Processing of personal data necessary to provide the PlanCoo services.

2.2 Duration

For the duration of the Terms of Service agreement.

2.3 Nature and Purpose

To provide project management and collaboration services to the Controller and its authorized users.

2.4 Types of Personal Data

• Basic account information (names, email addresses)
• Profile information
• Project and task metadata
• User activity logs

2.5 Categories of Data Subjects

• Controller's employees and contractors
• Other individuals the Controller authorizes to use the service

3. Obligations of the Processor

PlanCoo shall:

• Process personal data only on documented instructions from the Controller
• Ensure persons authorized to process the data have committed to confidentiality
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to data subject requests
• Assist the Controller in ensuring compliance with security obligations
• Delete or return all personal data after the end of services
• Make available information necessary to demonstrate compliance

4. Sub-processors

PlanCoo uses the following sub-processors:

• Microsoft Azure (hosting, storage)
• Firebase/Google (authentication)
• LemonSqueezy (payment processing)
• Cloudflare (DNS management, content delivery, security services)

The Controller hereby provides general authorization for PlanCoo to engage these sub-processors.

5. International Transfers

Personal data may be transferred to and processed in:

• Microsoft Azure regions: West Europe (Netherlands) and East US (Virginia)
• Google's data centers (Firebase)
• LemonSqueezy's processing locations

Such transfers are governed by the European Commission's Standard Contractual Clauses.

6. Security Measures

PlanCoo implements appropriate technical and organizational security measures including:

6.1 Authentication & Access Control

• Multi-factor authentication options via Firebase Authentication
• Role-based access control for system resources
• Token-based authentication with regular token rotation
• Expiring session management
• Automatic idle session termination

6.2 Data Storage Security

• Data encryption at rest in Azure SQL Database
• Transparent Data Encryption (TDE) for database protection
• Azure Blob Storage with encryption for file content
• Geographical data redundancy through Azure's infrastructure

6.3 Data Transmission Security

• HTTPS/TLS encryption for all data in transit
• Secure API endpoints with proper authentication
• Time-limited Shared Access Signatures (SAS) for blob storage access
• Secure webhook implementation with signature verification
• SSL/TLS termination and optimization through Cloudflare

6.4 Application Security

• Regular security updates and patch management
• Input validation and output encoding to prevent injection attacks
• Protection against common web vulnerabilities (XSS, CSRF)
• Secure development practices and code reviews
• Content Security Policy (CSP) implementation restricting resource origins
• Browser security headers (X-XSS-Protection, X-Content-Type-Options)

6.5 Infrastructure Security

• Azure infrastructure security with network isolation
• DDoS protection through both Azure services and Cloudflare
• Cloudflare Web Application Firewall (WAF)
• Content Delivery Network (CDN) through Cloudflare
• Firewall and network security groups
• Monitored and logged system access

6.6 Operational Security

• Regular security assessments and vulnerability scanning
• Audit logging of system activities
• Incident response procedures
• Backup and disaster recovery planning

6.7 Organizational Measures

• Data protection training for staff
• Access provided on a need-to-know basis
• Documented internal security policies
• Regular review of security measures

6.8 Third-Party Security

• Vendor security assessment for sub-processors
• Contractual security requirements for all service providers
• Regular monitoring of sub-processor compliance

7. Contact Information

For DPA matters, contact: [email protected]