Data Processing Agreement (DPA)

By registering and using the Service, the customer accepts this DPA. A signed version can be made available on request (request by email to the address given in the legal notice).

The subject of the data processing is the provision of the SaaS platform Waveboard. The duration of the processing corresponds to the term of the main contract.

Master data, contact data, contract and billing data of the customer’s end customers, project and task data, and time tracking data are processed. The purpose is to provide the functions used by the customer.

Employees, end customers, and contact persons of the customer whose data the customer stores in the platform.

The processor processes personal data exclusively on documented instructions of the controller, obligates its employees to confidentiality, takes technical and organizational measures pursuant to Art. 32 GDPR, and supports the controller in fulfilling data subject rights.

Access control through authentication and row-level security; transport encryption (TLS) and encryption of the database at rest; regular backups; pseudonymization where possible; logging of security-relevant events; separation of tenant data.

The controller grants general authorization for the use of the sub-processors listed in the privacy policy. Changes are announced at least 30 days in advance; the controller may object.

The processor provides the controller with tools by which data subject rights (information, rectification, erasure, portability) can be fulfilled independently.

Personal data breaches are reported by the processor without undue delay, generally within 48 hours of becoming aware.

After the end of the contract, the processor will delete all personal data within 30 days, unless statutory retention obligations exist. On request, an export will be made possible beforehand.