This Data Processing Agreement ("DPA") forms part of the Terms of Service between planCoo ("Processor") and the business customer ("Controller") using our services.

1. Definitions

Terms used in this DPA have the meanings given in the GDPR (General Data Protection Regulation).

2. Processing Details

2.1 Subject Matter

Processing of personal data necessary to provide the planCoo services.

2.2 Duration

For the duration of the Terms of Service agreement.

2.3 Nature and Purpose

To provide project management and collaboration services to the Controller and its authorized users.

2.4 Types of Personal Data

• Basic account information (names, email addresses)
• Authentication data (email address; password credentials processed and stored by Firebase Authentication as salted/hashed values; authentication events such as sign-in timestamps and technical metadata)
• Profile information
• Project and task metadata
• User activity logs and technical logs (e.g. request timestamps, IP address, user agent, request identifiers, error traces)

2.5 Categories of Data Subjects

• Controller's employees and contractors
• Other individuals the Controller authorizes to use the service

3. Obligations of the Processor

planCoo shall:

• Process personal data only on documented instructions from the Controller
• Ensure persons authorized to process the data have committed to confidentiality
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to data subject requests
• Assist the Controller in ensuring compliance with security obligations
• Delete or return all personal data after the end of services
• Make available information necessary to demonstrate compliance

4. Sub-processors

planCoo uses the following sub-processors:

• Microsoft Azure (hosting, storage)
• Firebase Authentication and reCAPTCHA (Google LLC) (authentication and abuse prevention)
• LemonSqueezy (payment processing)
• Cloudflare (DNS management and security/traffic management)

The Controller hereby provides general authorization for PlanCoo to engage these sub-processors.

Optional third-party integrations initiated by end users (such as LinkedIn account linking/content sharing) may involve separate third-party processing contexts and are described in Section 5.

5. International Transfers

PlanCoo uses a mix of EU/EEA-based storage for primary application data and global/US-based processing for certain platform services and subprocessors.

Current processing/transfer overview (factual, as currently configured):

• Microsoft Azure (primary application data and files): West Europe (Netherlands) for primary application data, including Azure SQL Database and Azure Blob Storage.


• Azure Static Web Apps (hosting/edge delivery): Resource region: East US 2 (Azure resource location, as currently configured) with globally distributed edge delivery for static content (Global).


• Telemetry and technical logs (Microsoft Azure Application Insights / Log Analytics): Not enabled (Application Insights resource has been removed; no application telemetry ingestion is configured at this time).


• Firebase Authentication (Google LLC): Global service (Google). PlanCoo uses email + password, email-link sign-in (“magic link”), and Google sign-in.


• Google reCAPTCHA (Google LLC): Global service (Google) used for abuse prevention on public endpoints.


• Payments/subscriptions (LemonSqueezy): US/global processing by the payment provider.


• Cloudflare (DNS/WAF): Global network processing for DNS and security/traffic management.

Where personal data is processed/transferred outside the EU/EEA, PlanCoo relies on the European Commission Standard Contractual Clauses (SCCs) and applicable vendor contractual/technical safeguards.

5.1 Firebase Authentication – concrete scope

PlanCoo uses Firebase Authentication as a specialized authentication service so that PlanCoo does not have to implement and operate custom password storage and verification. This reduces security risk and leverages a mature authentication platform.

Firebase Authentication is an established authentication provider used widely in industry, with documented security and compliance controls.

What we use (authentication methods):

• Email + password sign-in


• Email-link sign-in (“magic link”)


• Google sign-in (via Firebase Authentication)


• Microsoft sign-in (via Firebase Authentication)

Personal data processed for authentication (typical categories):

• Email address (used for account identification and for sending sign-in links)


• Password credential (handled by Firebase Authentication; PlanCoo does not store raw passwords)


• Firebase user identifier (UID)


• For Google sign-in: provider identifier and basic profile attributes returned by the provider (typically name, email, profile picture)


• For Microsoft sign-in: provider identifier and basic profile attributes returned by the provider (typically name, email, profile picture)


• Authentication events/metadata (e.g. sign-in time, IP address and device/browser information used for security and fraud prevention)

Why this processing happens: to verify user identity, issue/validate authentication tokens, and secure access to the PlanCoo service.

5.2 Realtime Chat – concrete scope

PlanCoo provides a realtime chat feature to facilitate collaboration between users.

Service Provider & Location:

• Firebase Realtime Database & Firestore (Google Cloud)


• Region: europe-west1 (Belgium). All chat data is stored and processed exclusively within the EU/EEA.

Data Processed:

• Chat messages (text content)


• Metadata (timestamps, sender UID, participant UIDs)

Security Measures:

• Strict Access Control: Database rules enforce that only the specific participants in a conversation can read or write messages.


• Encryption: Data is encrypted in transit (HTTPS/TLS) and at rest.


• Data Minimization: Chat data is managed through access controls and account/data deletion workflows in the service.

5.3 Telemetry and operational logging – concrete scope

To operate and secure the service, PlanCoo (and relevant infrastructure providers) may process limited technical and operational data such as:

• Request metadata (timestamps, URL path, response status codes)


• Network identifiers (IP address)


• Device/browser information (user agent)


• Diagnostics and error traces

PlanCoo aims to minimize personal data in logs and uses redaction/pseudonymization where practical (e.g. not logging authentication tokens and avoiding logging full request bodies by default).

5.4 Sub-processor compliance (concrete controls)

PlanCoo uses the following concrete measures to maintain GDPR compliance when using subprocessors:

• Contractual governance: We maintain DPAs (and SCCs where applicable) with subprocessors that process personal data.


• Purpose limitation: Subprocessors are used for narrowly defined purposes (hosting, authentication, payments, security) and not for unrelated processing.


• Data minimization: We minimize the personal data sent to subprocessors and avoid sending sensitive payloads where not necessary (e.g. do not log auth tokens; avoid logging full request bodies by default).


• Access control: Access to production systems and operational tooling is restricted by role and least privilege.


• Security measures: TLS in transit, encryption at rest where supported, and standard security controls from infrastructure providers.

5.5 LinkedIn account linking and sharing (optional)

PlanCoo offers optional LinkedIn features (account linking/verification and user-initiated sharing).

When this applies: only if an authorized user explicitly initiates LinkedIn linking or sharing.

Typical data categories involved: LinkedIn account identifier (`sub`), basic profile attributes returned by LinkedIn (typically name, email, profile image), LinkedIn profile URL, and content the user chooses to publish.

Token handling: LinkedIn OAuth access tokens are used on-demand for requested operations and are not stored persistently by PlanCoo.

Role of LinkedIn: For user-initiated posting/linking, LinkedIn may act as an independent controller for data processed in its platform according to LinkedIn's terms and privacy documentation.

6. Security Measures

PlanCoo implements appropriate technical and organizational security measures including:

6.1 Authentication & Access Control

• Authentication via Firebase Authentication (email + password, email-link sign-in “magic link”, Google sign-in, and Microsoft sign-in)
• Role-based access control for system resources
• Token-based authentication using short-lived Firebase ID tokens for API access

6.2 Data Storage Security

• Data encryption at rest in Azure SQL Database
• Transparent Data Encryption (TDE) for database protection
• Azure Blob Storage with encryption for file content

6.3 Data Transmission Security

• HTTPS/TLS encryption for all data in transit
• Secure API endpoints with proper authentication
• Time-limited Shared Access Signatures (SAS) for blob storage access
• Secure webhook implementation with signature verification
• SSL/TLS termination and optimization through Cloudflare

6.4 Application Security

• Regular security updates and patch management
• Input validation and output encoding to prevent injection attacks
• Protection against common web vulnerabilities (XSS, CSRF)
• Secure development practices and code reviews
• Content Security Policy (CSP) implementation restricting resource origins
• Browser security headers (X-XSS-Protection, X-Content-Type-Options)

6.5 Infrastructure Security

• Hosting on Microsoft Azure (cloud infrastructure security and access controls)
• DDoS protection through both Azure services and Cloudflare
• Cloudflare Web Application Firewall (WAF)
• Access controls for operational systems

6.6 Operational Security

• Operational monitoring and troubleshooting using telemetry and technical logs (see Section 5.3)

6.7 Organizational Measures

• Access provided on a need-to-know basis
• Documented internal policies and review cadence (where established)

6.8 Third-Party Security

• Contractual requirements for subprocessors (DPAs, and SCCs where applicable)

Annex A — Processing details (summary)

• Subject matter: Provision of PlanCoo services.
• Duration: For the term of the services.
• Nature and purpose: Project management and collaboration features, account administration, security and abuse prevention.
• Categories of data subjects: Authorized users of the Controller.
• Types of personal data: As listed in Section 2.4.

Annex B — Subprocessors (summary)

PlanCoo uses the subprocessors listed in Section 4 for the purposes described below:

• Microsoft Azure: Hosting, application data storage (Azure SQL Database, Blob Storage), and platform delivery (Static Web Apps).


• Google LLC (Firebase Authentication, reCAPTCHA): Authentication and abuse prevention.


• LinkedIn (optional, user-initiated integration): Account linking/verification metadata and user-initiated social publishing.


• LemonSqueezy: Payment and subscription processing.


• Cloudflare: DNS and security/traffic management.

7. Contact Information

For DPA matters, contact: [email protected]