Data Processing Agreement (DPA)
Framework for the processing of personal data on behalf of the controller under Art. 28 GDPR.
Upon request we provide customers with a data processing agreement (DPA) under Art. 28 GDPR. The overview below summarizes the key points.
Subject Matter and Duration
Processing is carried out in connection with the customer's (controller's) use of the Costvera application. Duration corresponds to the term of the agreement.
Data Categories and Purpose
Personal data as set out in the Privacy Policy and record of processing (user data, project data, salary data where applicable, audit logs). Purpose: provision and operation of the application.
Processor Obligations
We process data only on documented instructions, ensure confidentiality and technical and organizational measures, assist with access requests and erasure, assist with security incidents and audits to the agreed extent.
Subprocessors
A current list of subprocessors (hosting, email, payment) is provided on request or maintained in the Privacy Policy. We will inform you of changes with reasonable notice and allow for objection.
Deletion and Return
Upon termination of the agreement we delete or return all personal data unless legal retention applies. The 30-day deletion period upon termination is described in the Privacy Policy.